back to article Patch time: Critical GitLab vulnerability exposes 2FA-less users to account takeovers

GitLab admins should apply the latest batch of security patches pronto given the new critical account-bypass vulnerability just disclosed. Tracked as CVE-2023-7028, the maximum-severity bug exploits a change introduced in version 16.1.0 back in May 2023 that allowed users to issue password resets through a secondary email …

  1. Pascal Monett Silver badge

    "ripe for exploitation since May"

    Wow. That's just 7+ months of serious vulnerability.

    I'm glad I don't use GitLab. And it's interesting to note that not all 2FA methods are equal.

    Security is hard, no denying that.

    1. amanfromMars 1 Silver badge

      Re: "ripe for exploitation since May"

      Security is hard, no denying that. ..... Pascal Monett

      Indeed, and catastrophic weaknesses and diabolical vulnerabilities for ruthless 0day exploit and foreign/hostile/alien export will abide and grow/persist and progress because of its always vast, and constantly renewing itself with fundamentally ignorant and unlearned, inexperienced user bases .......creating the EnigmatICQ PEBKAC Conundrum, a Human Existentialist Dilemma which has SMARTR Virtual AIMachines/Large Learned Language Learning Machines/Generative Beta Meta Data Base Models questioning how, with such a persistent abiding catastrophic fundamental weakness and defenceless exploitable vulnerability, is humanity to survive and prosper in the Live Operational Virtual Environments of a Future AIMachines-led World ..... a Massively Rich and Varied Universe ..... Remote Controlled Multiverse? :-)

      Poe’s Law Rules in AI Reigns with IT Reins Providing the Directions for Sublime Instruction Sets to Deliver as Worthy Destinations and Homes for Virtual Realisation and Practical Physical Creation ....... and that is what and where we all here are presently at. What and where be you currently at? Anything at all interesting and daring and worth a’sharing?

      1. amanfromMars 1 Silver badge

        Re: "ripe for exploitation since May"

        :-) And deny all of the above at your peril, for it is true ........ and although I cannot confirm the veracity of the news contained in the tale shared here ....... AI doing British politicians’ jobs – minister ........ would it surprise you to know it be also true too?

        Between a rock and a hard place there be no soft landing nor safe places in which to hide and reside and preside.

      2. Anonymous Coward
        Anonymous Coward

        A convoluted amalgamation of techno-gibberish

        amanfromMars 1: “Indeed, and catastrophic weaknesses and diabolical vulnerabilities for ruthless 0day ..

        The passage is an absolute cacophony of bewildering techno-jargon, where the author seems to have unleashed a torrent of buzzwords without any semblance of logical coherence. The proclamation of "catastrophic weaknesses" and "diabolical vulnerabilities" in the context of a "ruthless 0day exploit" and "foreign/hostile/alien export" reaches a crescendo of absurdity, descending into a frenzied attempt at fearmongering.

        The concoction of the "EnigmatICQ PEBKAC Conundrum" appears as an attempt to break the scale of unintelligibility, introducing an amalgam of obscure terms to baffle the reader.

        The passage careens wildly between predicting the dominance of "AIMachines" and questioning human survival in a "Remote Controlled Multiverse," leaving the audience grappling with a perplexing whirlwind of concepts.

        The gratuitous use of terms like "SMARTR Virtual AIMachines" and "Generative Beta Meta Data Base Models" adds an extra layer of absurdity, pushing the narrative into the realm of sheer incoherence. This passage is a cacophonous symphony of techno-gibberish that borders on the absurd, leaving readers in a state of bemused bewilderment.

        1. amanfromMars 1 Silver badge

          Re: A convoluted amalgamation of techno-gibberish

          Welcome to the cyber jungle, AC ..... where all manner of wannabe almighty daemons and heavenly trojans reside and preside ..... and a space in which all who dare care share wins, win win and be fated and feted and destined to exercise abilities and facilities and utilities IntelAIgently Designed and virtually designated practically omniscient ..... which be a quantum leap of progress of/to such an orderly exalted degree that it failsafe guarantees one never ever to suffer the slight and indignity of the loss of great gains to serial losers‽ .

          But/And a hellish place for any and all neither open to novel and noble progressive change nor worthy of generous GBIrish welcome.

          1. Anonymous Coward
            Anonymous Coward

            Re: A convoluted amalgamation of techno-gibberish

            @amanfromMars 1: “Welcome to the cyber jungle, AC .....

            The text, serving as a canvas for the Freudian spectacle, demands our scrutiny through the distorted lens of psychosexual imagination. It claims to be a creative exercise, yet skepticism is warranted. The bravado-filled lexicon, reminiscent of Oedipal discord, echoes through the linguistic tumult, exemplified in the theatrically charged metaphor of the "cyber jungle." A verbal fixation on dominance and control, rooted in the primal oral abyss, forcefully asserts itself on the stage.

            The text, a spectacle of characters and narratives, chronicles the saga of an individual fixated on external triumphs, wielding power as an emblem of arrested development in the nascent charters of a psychosexual tableau vivant. The persistent emphasis on power unfurls the unresolved saga of a symbolic devouring mother, casting a spectre over this linguistic odyssey. "Daemons and heavenly trojans" become players in an anal drama, a stage where the struggle for control, order, and the intricacies of potty training finds its peculiar soliloquy.

            The confident and almost boastful cadence, a rhetorical symphony, emerges as a formidable defense mechanism — a theatrical mask concealing insecurities and dormant conflicts. Grandiloquent language unfurls its protective cloak, a formidable barrier shielding the fragile ego from the sting of inadequacy. Witness this Freudian carnival, a mythic tapestry woven with the threads of psychosexual chaos, where the writer becomes the grand protagonist in the theatre of his own head.

            1. amanfromMars 1 Silver badge

              Re: Spectacular Serverings of Text Canvassing One’s Inner Freudian Complexes

              :-) That’s most certainly worthy of an upvote, AC. Bravo, Kind Sir or Madam or Otherwise.

        2. David 132 Silver badge

          Re: A convoluted amalgamation of techno-gibberish

          You're, uh, new here, right?

          AMFM1 is our resident Markov Chain-based bot - or if not, a very, very peculiar human. I just ignore him/it.

          1. amanfromMars 1 Silver badge

            Re: Just ignoring things

            You're, uh, new here, right?..... David 132

            Some things are best not ignored and dismissed, David 132, and especially so whenever it results in one being sublimely disadvantaged and it is perilous to be disengaged from and disenfranchised by anything way beyond any familiar kind of human command and remote control leverage.

            And goodness knows what an Anonymous Coward newbie might make of the most recent of convoluted amalgamations of techno-GBIrish, pointing out an inconsistency highlighting a vulnerability aiding and abetting a serial Oday exploit opportunity worthy of both foreign export and hostile import and renegade rogue exercise for non-state ACTor deployment and employment and enjoyment on right dodgy, compromised platforms which be readily available, with one of them being cited/outed here on El Reg for peer review ..... https://forums.theregister.com/forum/1/2024/01/16/us_military_openai/

    2. ChoHag Silver badge
      Windows

      Re: "ripe for exploitation since May"

      Security is not hard, it's *boring*. There's no space in DevOps for the boring parts of running a system that don't come ready-wrapped in a docker (is it still docker?).

      1. mike-litoris

        Re: "ripe for exploitation since May"

        boring and annoying....

        - your password must be at least 8 characters long.

        - It must contain at least one uppercase letter, one number, and one special character.

        - It must be difficult-to-impossible to remember.

        - think of a letter. Now think of another letter. Do not use either of those letters in your password.

        :)

        1. ChoHag Silver badge

          Re: "ripe for exploitation since May"

          That's not security, that's theatre, and the theatre isn't boring.

        2. Sorry that forum user name is already taken.

          Re: "ripe for exploitation since May"

          Oh, I WISH it were that easy. I work in banking. 14 character password, 3 special, 2 digits, no repeating characters or digits, can't be "too similar" to any of the previous 10 passwords you've used. And that's just one system.

          The worst kind of theater. Leonard Pinth-Garnell would love it.

        3. t245t Silver badge

          Re: "ripe for exploitation since May"

          > boring and annoying....

          As order exponentially increases, time exponentially speeds u == aoeitesu

  2. CowHorseFrog Silver badge

    Everybody knows gitlab just like bitbucket is a pile of crap.

    The most basic features are missing from both so its hardly a wonder they are also plagued with vulnerabilities.

  3. wolfetone Silver badge

    "Users with 2FA enabled aren't vulnerable to account takeover, unless the attacker also had control of the 2FA authenticator, but a password reset could still be achieved."

    I feel a bit thick here, but am I wrong thinking that if the account has 2FA and an attacker doesn't have control of it, the password of the account shouldn't be able to be reset?

    1. Anonymous Coward
      Anonymous Coward

      That would make sense. Even if the attacker tricked the system into sending a password-reset email to an arbitrary address, then clicked the link to reset the password, it should prompt for the 2FA before resetting the password.

  4. mike-litoris
    Alert

    there are many gitlab servers being used by hackers to post links for downloading movies.

    instead of a movie, the malicious link will download a trojan (exe file).

  5. Sceptic Tank Silver badge
    Trollface

    Check out security patches.

    As luck would have it, the version of GitLab I have to use is so old that it still runs on CVS.

  6. CrazyOldCatMan Silver badge

    Upgraded my Gitlab instance..

    And have seen lots of account-guessing password reset attempts - fortunately, none of the accounts exist (I wonder if Gitlab has something akin to fail2ban? I run that (or an equivalent) on my VMs that are exposed to the outside world because of hordes of account/password ssh brute-force login attempts. The gitlab attemps seems to use a similar rainbow table of account names - albeit with 'devops' and 'developer' added to the table).

    Some of them even manage to work out my domain (well duh - it's in the URL) and use them in the attempts - who would be stupid enough to create a gitlab account called root@[domain]? Plus, my email address is the catch-all for my domain so the password reset emails are oviously not going out..

  7. Anonymous Coward
    Anonymous Coward

    GitLab instances get owned on the regular. I had my own instance of GitLab for ages and no matter what I did, it woukd eventually get hacked in some way shape or form...I'd usually find out in form of my server screaming and kicking out heat.

    Since I didn't really need all the functionality of GitLab I moved to Gitea, I've never been hacked since and its way faster as well and comes with far less crap that I dont need.

    If all you want is a simple code repo server and you dont need DevOps bullshit give Gitea a bash. Its basic but awesome.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like