GitLab Releases Critical Security Patch for CVE-2024-45409 (CVSS 10) Vulnerability
GitLab has issued an urgent security update addressing a critical vulnerability that affects both GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw, identified as CVE-2024-45409, carries a CVSS score of 10, marking it as a highly severe threat. This vulnerability is rooted in the Ruby-SAML library, which is used to handle SAML authentication for GitLab instances.
CVE-2024-45409 exposes GitLab instances to a potentially catastrophic security breach. The vulnerability stems from improper signature verification in certain versions of the Ruby-SAML library (<=12.2 and 1.13.0 through 1.16.0). This flaw allows an unauthenticated attacker to forge a SAML response, effectively granting them access to GitLab as any arbitrary user.
In practical terms, this means that a threat actor could bypass authentication checks and gain access to sensitive GitLab projects, including source code repositories, without needing to supply valid credentials.
GitLab has responded by releasing security patches for all affected versions, which includes updates to both the omniauth-saml dependency (to version 2.2.1) and the ruby-saml library (to version 1.17.0).
For self-managed GitLab users, there are several key mitigation steps to prevent successful exploitation of this vulnerability:
- Enable two-factor authentication (2FA) for all user accounts on the self-managed instance. It is important to note that enabling identity provider (IdP) multi-factor authentication does not mitigate this vulnerability—GitLab’s built-in 2FA must be used.
- Disable the SAML two-factor bypass option in GitLab to prevent attackers from leveraging this method to circumvent additional security layers.
GitLab has provided guidelines for identifying exploitation attempts via application and authentication logs. Indicators of unsuccessful exploitation attempts include the occurrence of RubySaml::ValidationError in the logs, often due to incorrect callback URLs or certificate signing issues.
On the other hand, successful exploitation will leave traces in SAML-related log events. Attackers will attempt to set arbitrary extern_uid values to mimic legitimate authentication sessions, making it crucial for administrators to scrutinize unexpected or unknown extern_uid fields.
For organizations that forward GitLab logs to a SIEM, GitLab has provided Sigma-based detection rules to help identify potential exploitation attempts. These detection rules focus on identifying unusual patterns such as:
- Multiple extern_uid values for a single authenticated SAML user.
- IP address mismatches between SAML authentication events and other IdP-related events for the same user, which could indicate unauthorized access.
All GitLab installations affected by CVE-2024-45409 are urged to upgrade to the latest patched versions immediately (17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10). Given the critical nature of this vulnerability and the potential for remote, unauthenticated access, delaying the update could result in a severe security breach.