It has been revealed that a vulnerability in the GitLab server has been exploited to build a botnet and conduct distributed denial of service (DDoS) attacks exceeding 1 terabit per second (Tbps).
This DDoS attack took advantage of vulnerability CVE-2021-22205, which was patched by GitLab in April 2021, and was disclosed by Damian Menscher, Security Reliability Engineer in charge of DDoS protection for Google Cloud. Damian Menscher, Security Reliability Engineer in charge of DDoS protection for Google Cloud, made the announcement.
https://nvd.nist.gov/vuln/ detail/CVE-2021-22205
An issue affecting all versions of GitLab CE/EE 11.9 and later has been discovered. GitLab did not properly validate image files passed to the file parser, causing commands to be executed remotely. commands are executed remotely.
Attack on GitLab’s metadata removal feature
This vulnerability, reported through GitLab’s bug bounty program, exists in ExifTool, a library used to remove metadata from images uploaded to a web server.
GitLab uses ExifTool in the GitLab Community Edition (CE) and Enterprise Edition (EE). It is an open source commercial version that can be installed on their own servers and is used when they do not have access to GitLab’s cloud-based services and want to handle proprietary code in a secure environment.
They stated that they found a way to control the entire GitLab web server infrastructure by exploiting the way ExifTool handles the upload of DjVu file formats used for scanned documents.
According to Italian security firm HN Security, attacks exploiting this vulnerability began in June of this year.
The attacker discovered that a user with a random name had been added to the infected GitLab server and started investigating. The user account with this random name was most likely created by the attacker to remotely control the hacked system.
Google’s Menscher said the hacked servers are part of a botnet consisting of “thousands of compromised GitLab instances” that are conducting a massive DDoS attack.
About 30,000 GitLab servers are unpatched
Botnet operators seem to be taking advantage of the fact that companies around the world are delaying patching their software, and according to an analysis published by Rapid7, there are more than 60,000 GitLab servers connected to the Internet, and about half of them are infected with the CVE-2021-22205 exploit. 2021-22205 ExifTool” exploit has not yet been patched.
The proof-of-concept code for this vulnerability has been available since June, the same time HN discovered the first attack.
https://github.com/CsEnox/Gitlab- Exiftool-RCE
Although the ExifTool vulnerability at the core of the GitLab issue is being tracked independently as CVE-2021-22204, additional exploits may also be reported as they may affect other types of web applications that may have this tool deployed. may have been reported, and patches may be required for other types of web applications as well.
The easiest way to prevent an attack is to block the uploading of DjVu files at the server level if your company does not need to handle them.
Comments