Upwards of 30,000 internet-facing GitLab servers have yet to be patched for a critical CVSS 10 vulnerability that has been actively exploited in the wild, according to security researchers at Rapid7.
The GitLab vulnerability, CVE-2021-22205 affects all versions of both GitLab Enterprise Edition (EE) and GitLab Community Edition (CE) starting from 11.9. The vulnerability was patched in the following versions:
Despite the bug having been fixed since April, patching has been slow given the severity of the GitLab vulnerability. On September 21, 2021 GitLab revised the CVSS score from 9.9 to 10.0, recognising it as a pre-auth RCE bug. CVE-2021-22205 let a remote, unauthenticated attacker execute arbitrary commands as the
git admin due to ExifTool’s mishandling of DjVu files, an issue assigned CVE-2021-22204.
(GitLab relies on a number of components like Nginx, Redis, Nginx, etc. Its gitlab-workhorse calls ExifTool before passing the final attachment to Rails).
ExifTool is an open source Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. The bug in GitLab’s implementation was initially disclosed by Australia-based developer and security researcher William Bowling via the HackerOne bug bounty programme.)
Rapid7 said: “The confusion around the privilege required to exploit this vulnerability is odd. Unauthenticated and remote users have been and still are able to reach execution of ExifTool via GitLab by design. Specifically
HandleFileUploads in uploads.go is called from a couple of
PreAuthorizeHandler contexts allowing the
HandleFileUploads logic, which calls down to
exif.go, to execute before authentication.
“The fall-out of this design decision is interesting in that an attacker needs none of the following:
- A CSRF token
- A valid HTTP endpoint
“As such, the following
curl command is sufficient to reach, and exploit, ExifTool.”
GitLab users should upgrade to the latest version of GitLab as soon as possible.