GitLab has warned users about an increase in malicious activity related to the exploitation of the critical vulnerability CVE-2021-22205, which allows you to remotely execute your code on a server that uses the GitLab collaborative development platform without authentication.
The issue has been present in GitLab since version 11.9 and was fixed back in April with GitLab releases 13.10.3, 13.9.6, and 13.8.8. However, according to a global network scan of 31 publicly available GitLab instances conducted on October 60, 50% of systems continue to use outdated versions of GitLab that are susceptible to vulnerabilities. Only 21% of the servers tested had the required updates installed, and 29% of the systems were unable to determine which version number they were using.
The negligent attitude of server administrators from GitLab to installing updates led to the fact that the vulnerability began to be actively exploited by attackers who began to place malware on servers and connect them to the work of a botnet involved in DDoS attacks. At its peak, the volume of traffic during a DDoS attack generated by a botnet based on vulnerable GitLab servers reached 1 terabit per second.
The vulnerability is caused by incorrect processing of uploaded image files by an external parser based on the ExifTool library. A vulnerability in ExifTool (CVE-2021-22204) allowed arbitrary commands to be executed on the system when parsing metadata from DjVu files: (metadata (Copyright "\ " . qx{echo test >/tmp/test} . \ " b ") )
At the same time, since the actual format was determined in ExifTool by the MIME content type, and not the file extension, the attacker could download a DjVu document with an exploit under the guise of a regular JPG or TIFF image (GitLab calls ExifTool for all files with extensions jpg, jpeg and tiff to clean up extra tags). Exploit example. In the default configuration of GitLab CE, the attack can be carried out by sending two requests that do not require authentication.
GitLab users are advised to make sure that they are using the latest version and, if they are using an outdated release, urgently install updates, and if this is not possible for some reason, selectively apply a patch that blocks the manifestation of the vulnerability. Users of non-updated systems are also advised to ensure that their system is not compromised by analyzing the logs and checking for suspicious attacker accounts (eg dexbcx, dexbcx818, dexbcxh, dexbcxi and dexbcxa99).
Source: opennet.ru