GitLab has addressed a critical severity vulnerability that could allow remote attackers to take over user accounts using hardcoded passwords. The zero-day “CVE-2022-1162” affected both GitLab Enterprise Edition and Community Edition.
According to GitLab Security Team,
“A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts,”
GitLab strongly urges users to upgrade to the latest version (14.9.2, 14.8.5, or 14.7.7) as soon as possible to evade exploitation.
Gitlab claims that there is no evidence that users or accounts have been hacked, but that they have reset the passwords of a limited number of GitLab.com users as part of the CVE-2022-1162 mitigation effort as a precautionary step.
Gitlab Security Team,
“We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC,”.
“Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.”
At this time, no malicious activity or compromise has been identified on https://t.co/C4mACZpLWf related to the potential Okta breach. We continue to monitor and investigate, and strongly recommend enabling MFA. You can see our response here: https://t.co/nlO7QcGq34
— ? GitLab (@gitlab) March 22, 2022
Python Script To Identify Affected Accounts
There is a script available for self-managed GitLab instances to identify user accounts that may be vulnerable to CVE-2022-1162.
Admins must update affected user accounts that are identified by the script. It is believed that GitLab has more than 30 million registered users from 66 countries and that over 100,000 enterprises utilize its DevOps platform.
GitLab has also patched the following vulnerabilities in response to this major account takeover bug:
'lib/gitlab/password.rb' file, which was used to set a weak hardcoded password to the
'TEST DEFAULT' constant was deleted by GitLab, according to a code change made two days earlier.