A now-patched critical remote code execution (RCE) vulnerability in GitLab”s web interface has been detected as actively exploited. The vulnerability which was first discovered in April 2021was first described as an authenticated remote code execution (RCE) vulnerability but has since elevated to an unauthenticated vulnerability.
The GitLab vulnerability being tracked as CVE-2021-22205 was the result of passing user-provided images to the services embedded version of ExifTool. A remote attacker could execute arbitrary commands as
the git user due to ExifTools mishandling of DjVu files.
How it works
The confusion around the privilege required to exploit this vulnerability is strange. Unauthenticated and remote users have been and still are able to reach execution of ExifTool via GitLab. Specifically HandleFileUploads in uploads.go is called from a couple of PreAuthorizeHandler contexts allowing the HandleFileUploads logic, which calls down to rewrite.go and exif.go, to execute before authentication.
The fall-out of this design decision is interesting in that an attacker needs none of the following:
A CSRF token
A valid HTTP endpoint
As such, the curl command curl -v -F “file=@echo_vakzz.jpg” http://10.0.0.8/$(openssl rand -hex 8) is sufficient to reach, and exploit ExifTool.
The Vulnerability was patched in versions 13.10.3, 13.9.6 & 13.8.8. GitLab users should upgrade to the latest version of GitLab as soon as possible. Ideally, GitLab should not be an internet facing service. If you need to access your GitLab from the internet, consider placing it behind a VPN.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Hackers Exploiting GitLab Unauthenticated RCE Flaw.pdf
Lakshmanan, Ravie. (2nd November 2021). Hackers Exploiting GitLab Unauthenticated RCE Flaw. Retrieved from The Hacker News:
Baines, Jake. (1st November 2021). GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild. Retrieved from Rapid7: