GitLab fixes critical SAML authentication bypass in CE and EE versions

SeniorTechInfo
3 Min Read

Sep 19, 2024Ravie LakshmananEnterprise Security / DevOps

GitLab fixes critical SAML authentication bypass in CE and EE versions

GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass.

The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system. It was addressed by the maintainers last week.

The issue arises from the library not properly verifying the signature of the SAML Response. SAML stands for Security Assertion Markup Language, a protocol facilitating single sign-on (SSO) and exchange of authentication and authorization data across multiple apps and websites.

“An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents, according to a security advisory. “This would allow the attacker to log in as arbitrary user within the vulnerable system.”

It’s worth noting the flaw also impacts omniauth-saml, which shipped an update of its own (version 2.2.1) to upgrade ruby-saml to version 1.17.

The latest patch from GitLab updates the dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0. This includes versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10.

As a precaution, GitLab recommends users of self-managed installations to enable two-factor authentication (2FA) for all accounts and disallow the SAML two-factor bypass option.

GitLab has not reported any instances of the flaw being exploited in the wild, but it has provided indicators of attempted or successful exploit, indicating that threat actors might be actively trying to exploit the vulnerability to gain access to vulnerable GitLab instances.

“Successful exploitation attempts will trigger SAML related log events,” it said. “A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation.”

“Unsuccessful exploitation attempts may generate a ValidationError from the RubySaml library. This could be for a variety of reasons related to the complexity of crafting a working exploit.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for prompt remediation to protect against active threats.

Federal Civilian Executive Branch (FCEB) agencies have been advised to address the identified vulnerabilities by October 9, 2024, to safeguard their networks from malicious exploitation.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *