9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
GitLab has issued several critical security updates, with users of the version control software urged to upgrade their installations as soon as possible. One of the fixes is for a hard coded password issue.
Distributed version control is a way for an organisationās codebase to be mirrored on the devices of anyone who needs access. Where people occasionally become confused is when they see a number of services using the word āGitā in their name. They're not all the same thing, and we shouldn't unnecessarily worry that one issue affects lots of different services due to naming conventions.
They are not! If youāre reading about this update, youāre reading about an update for users of GitLab specifically. GitHub isnāt affected by this, and so users shouldnāt worry about missing security updates for hard-coded passwords. Hub and Lab are similar, but most definitely not the same.
Thereās been a critical security release, addressing multiple issues. No fewer than 17 elements have been addressed, with one rated critical, two rated high, and nine rated medium. Hereās the rundown of the issue rated critical from their release page:
> Static passwords inadvertently set during OmniAuth-based registration
>
> A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, 9.1). It is now mitigated in the latest release and is assigned CVE-2022-1162.
>
> This vulnerability has been discovered internally by the GitLab team.
>
> Note: We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but weāre taking precautionary measures for our usersā security.
Hardcoded passwords, also known as embedded credentials, make using the software or device theyāre attached to a risky business. If your cheap, off the shelf router has the same single password in use for every single device, thatās bad. Someone who owns one of these devices now knows the password for all of those devices. If your forum software has a single, unchangeable password buried in the code, thatās bad. Somebody with dubious intentions may well have the keys to the kingdom for all versions of that forum.
Itās a similar story here - with a few caveats. According to The Register, accounts created through OmniAuth using fewer than 21 characters for the password were vulnerable to the default password. A script has also been released which, in GitLabās words, āā¦can be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162ā.
If you think you may be impacted by this, make haste and check out the list of updates. You donāt want to leave an easy way in for attackers to exploit your business.
The post GitLab issues security updates; watch out for hard coded passwords appeared first on Malwarebytes Labs.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P