GitLab backports fix for CVE-2024-45409 to older versions

by do son · September 25, 2024

bypassing SAML - CVE-2024-8312 and CVE-2024-6826

In a crucial security release, GitLab has addressed a severe vulnerability (CVE-2024-45409) in its Community Edition (CE) and Enterprise Edition (EE) platforms, impacting all self-managed installations. Administrators are strongly encouraged to upgrade immediately to the newly patched versions 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, or 16.0.10. These versions contain the critical security fix initially released for GitLab versions 17.x.x and 16.11.10.

CVE-2024-45409 is a critical vulnerability affecting the Security Assertion Markup Language (SAML) authentication used by GitLab’s OmniAuth framework. SAML is a single sign-on (SSO) protocol that simplifies user login by allowing access to multiple services with one set of credentials. This vulnerability arises from a flaw in how GitLab validates the SAML responses sent by an Identity Provider (IdP), specifically in the OmniAuth-SAML and Ruby-SAML libraries.

The bug occurs when GitLab mishandles certain elements of the SAML assertion, particularly the extern_uid (external user ID). The extern_uid is a critical identifier used to recognize users across multiple systems. If the SAML response is misconfigured or manipulated, an attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to the GitLab instance.

The flaw allows attackers to craft malicious SAML responses that trick GitLab into believing they are legitimate, authenticated users. By bypassing SAML authentication entirely, attackers can gain unrestricted access to sensitive GitLab repositories and potentially compromise source code, intellectual property, and other critical business assets.

GitLab has not explicitly confirmed any cases of exploitation in the wild, but the security bulletin warns that attempts may have already been made. Indicators of possible exploitation include: