Recently, researchers discovered that a patched critical remote code execution (RCE) vulnerability in GitLab's web page has been detected and exploited as a 0day in the wild, making a large number of Internet-facing GitLab instances extremely vulnerable to attacks. The CVE number of this risk vulnerability is CVE-2021-22205.
Vulnerability details:
1. Vulnerability description:
Register an account and password on the Gitlab platform (some companies' Gitlab platforms allow registration)
After logging in, go to your personal homepage and find Snippets
Here you need to upload a DjVu format image (that is, the constructed exploit exploit)
The production method of DjVu format pictures is as follows
Download and install DjVuLibre at http://djvu.sourceforge.net/
Prepare the text that will compress the image
Use the command djvumake rce.djvu INFO=0,0 BGjp=/dev/null ANTa=rce.txt && mv rce.djvu rce.jpg to generate Exp
2. Upload Exp,
3. Impact of the vulnerability:
Although the vulnerability was initially considered an authenticated RCE CVSS assigned a score of 9.9, due to direct unauthenticated exploitability the severity rating was revised to a CVSS score of 10 on September 21, 2021.
4. Data leakage risk:
Although the patch has been publicly released for more than six months, out of 60,000 Internet-facing GitLabs, only 21% instances are statistically patched for the issue, and 50% instances are still vulnerable to RCE attacks.
5. Suggestions:
Given the unauthenticated nature of this vulnerability, an increase in exploit activity is expected, so GitLab users update to the latest version as soon as possible. Additionally, it is recommended that GitLab should not be an Internet-facing service, and if you need to access your GitLab from the Internet, consider putting it behind a VPN.
Related vulnerability reference analysis>>
Original article by lyon, if reproduced, please credit: https://www.cncso.com/en/gitlabs-unauthorized-remote-code-execution-rce-vulnerability-without-identity- verification.html
