GitLab Patches: Severe SAML Authentication Bypass Flaw Fixed
A critical SAML authentication bypass flaw was recently identified in GitLab’s Community Edition (CE) and Enterprise Edition (EE). As of now, GitLab patches aiming to fix the flaw have been released; however, if the fixes had not been released, potential exploits of the flaw may have been detrimental. In this article, we’ll dive into the details of the flaw and the patches while covering its severity, root cause, and more. Let’s begin!
Roots Of CVE-2024-45409
The ruby-saml library flaw, for which GitLab patches have been released, was tracked CVE-2024-45409. The flaw had a critical vulnerability severity score (CVSS) of 10.0, meaning that exploits could have led attackers to have significant benefits, allowing them to cause further damage.
The root cause, and why patches were required, was the library not adequately verifying signatures of the SAML response. Security Assertion Markup Language (SAML) is a security protocol that enables the single sign-on (SSO). In addition, the protocol ensures the exchange of authorization and authentication data through multiple apps and websites.
In a security advisory, providing insights into potential exploits, it’s stated that:
“An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.”
No Known Exploit In The Wild
GitLab has currently not made any mentions of the flaw being exploited in the wild. However, media reports have claimed that GitLab indicated exploit attempts and success pertaining to the flaw for which the GitLab patches are released.
These indications suggest that threat actors are trying to capitalize on the flaw to gain initial access. Commenting on the success and failure of the exploit attempts, GitLab has stated that:
“Successful exploitation attempts will trigger SAML related log events. A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation. Unsuccessful exploitation attempts may generate a ValidationError from the RubySaml library. This could be for a variety of reasons related to the complexity of crafting a working exploit.”
GitLab Patches Released To Mitigate Threats
As far as the patches are concerned, fixes have been applied to the following versions:
- 17.3.3.
- 17.2.7.
- 17.1.8.
- 17.0.8.
- 16.11.10.
In addition to these patches, OmniAuth SAML has been upgraded to version 2.2.1 and Ruby-SAML to 1.17.0. It’s worth mentioning that the issue only impacts self-managed instances; therefore, users of GitLab Dedicated instances do not need to take any action.
Users who have the affected version are requested to promptly apply the GitLab patches by updating to a secure version, as it can drastically decrease threat exposure.
Conclusion
The critical SAML authentication bypass flaw posed a significant threat to GitLab’s self-managed instances. While no active exploitation has been confirmed, applying the released GitLab patches is crucial for reducing potential risks. As the cyber threat landscape becomes increasingly complex, users must implement proactive security measures to ensure protection.
The sources for this piece include articles in The Hacker News and BLEEPING COMPUTER.