Analysis Summary

GitLab has patched a serious bug that affects the Community Edition (CE) and Enterprise Edition (EE) and has the potential to allow for an authentication bypass. The ruby-saml library is the source of the vulnerability (CVE-2024-45409, CVSS score: 10.0), which could let an attacker access the compromised system by logging in as any user.

SAML, short for Security Assertion Markup Language, is a protocol that facilitates single sign-on (SSO) and the exchange of authentication and authorization data across numerous apps and websites. The issue stems from the library's improper verification of the signature of the SAML Response. Thus, an unauthenticated attacker can fake a SAML Response/Assertion with any content if they have access to any signed SAML document (via the IdP). According to a security advisory, this would enable the attacker to access the vulnerable system and login as any user.

It's important to note that omniauth-saml, which released an update (version 2.2.1) of its own to bring ruby-saml up to version 1.17, is also affected by the vulnerability. The goal of the most recent GitLab patch is to update the dependencies ruby-saml to 1.17.0 and omniauth-saml to version 2.2.1. Versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10 are included in this.

GitLab is asking users of self-managed installations to disable the SAML two-factor bypass option and set up two-factor authentication (2FA) for all accounts as mitigations. GitLab does not disclose the vulnerability that is being used in the wild, but it has disclosed signs of successful or attempted exploitation, indicating that threat actors might be actively attempting to take advantage of the flaw to get access to vulnerable GitLab installations.

Successful exploitation efforts will cause log events about SAML. Any extern_id value that the attacker attempts to set will be logged if the exploitation attempt is successful. The RubySaml library may produce a ValidationError if an exploitation attempt fails. This could be due to several factors, including the difficulty of creating a functional exploit.

Impact

• Security Bypass
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-45409

Affected Vendors

Remediation

• Refer to the GitLab Website for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.