GitLab Addresses Critical SAML Authentication Bypass Vulnerability in Community and Enterprise Editions
GitLab has unveiled fixes to tackle a crucial vulnerability affecting Community Edition (CE) and Enterprise Edition (EE) that could lead to an authentication workaround.
The flaw originates from the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which permits a potential attacker to sign in as any user within the vulnerable system. The developers resolved it last week.
The issue arises as a consequence of the library failing to adequately authenticate the signature of the SAML Response. SAML, also known as Security Assertion Markup Language, is a mechanism that facilitates single sign-on (SSO) and the sharing of authentication and authorization data among various applications and websites.
“An unauthenticated intruder with the ability to access any signed SAML document (by the IdP) can hence fabricate a SAML Response/Assertion with arbitrary contents, according to a security notification. “This could authorize the intruder to log in as any user within the vulnerable system.”
It is important to highlight that the vulnerability also impacts omniauth-saml, which has delivered its own update (version 2.2.1) to enhance ruby-saml to version 1.17.
The most recent patch from GitLab is formulated to update the dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0. This covers versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10.
As countermeasures, GitLab is urging users of self-hosted installations to activate two-factor authentication (2FA) for all accounts and prevent the SAML two-factor bypass option.
GitLab does not mention any instances of the vulnerability being exploited in the wild, but it has offered signs of attempted or successful exploitation, indicating that threat actors might be actively endeavoring to take advantage of the inadequacies to gain entry to vulnerable GitLab instances.
“Successful exploitation attempts will trigger SAML related log events,” it stated. “A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation.”
“Unsuccessful exploitation attempts may produce a ValidationError from the RubySaml library. This could be due to various reasons associated with the complexity of crafting a functional exploit.”
The development coincides with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) inserting five security vulnerabilities into its Known Exploited Vulnerabilities (KEV) catalog, including a freshly disclosed critical flaw impacting Apache HugeGraph-Server (CVE-2024-27348, CVSS score: 9.8), based on evidence of active exploitation.
Federal Civilian Executive Branch (FCEB) agencies have been advised to rectify the identified vulnerabilities by October 9, 2024, to safeguard their networks against current threats.
About Author
