GitLab issues security patches for 17 vulnerable areas

GitLab announced the release of security updates to address 17 vulnerabilities. One of these vulnerabilities was deemed a critical flaw, which could potentially allow a malicious actor to execute a pipeline job as a random user. This vulnerability (CVE-2024-6678) is rated 9.9 out of 10 in terms of its CVSS score. 

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, emphasized, “The patched vulnerability by GitLab (CVE-2024-6678) is a significant one, as it enables attackers to run pipeline jobs as any user, potentially leading to unauthorized code deployment or tampering with sensitive data. Given its critical CVSS score of 9.9, security teams cannot ignore this issue, even though there is no evidence of active exploitation at this time.”

The risks associated with CVE-2024-6678

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, stated, “CVE-204-6678 poses a substantial risk, especially due to its capability to allow attackers to run pipeline jobs as arbitrary users, potentially leading to privilege escalation, data exfiltration, and compromises in software supply chains. Although this vulnerability has not been seen in the wild yet, it shares similarities with recent high-profile attacks and tactics utilized by Advanced Persistent Threats (APTs) and cybercriminal groups.”

Expanding on the risks, Guenther highlighted two main concerns.

Software supply chain compromise

“For instance, the Codecov breach (2021) exposed the dangers of CI/CD pipeline compromise. Attackers altered a script in Codecov’s pipeline, allowing them to extract environment variables, credentials, and sensitive data. This attack had widespread consequences, impacting multiple downstream organizations relying on compromised builds.

“APTs like APT29 (Cozy Bear) and Lazarus Group target these environments for prolonged access and data manipulation. With CVE-2024-6678, exploiting pipeline permissions could result in extensive compromises of production software.”

Privilege escalation and data exfiltration

“The Codecov breach illustrated how attackers exploited CI/CD pipeline access to extract credentials and elevate privileges, similar to what could be done through CVE-2024-6678. Groups like FIN11 or APT28 (Fancy Bear) could leverage this vulnerability to gain unauthorized access, move within networks, and extract sensitive data.”

Addressing CVE-2024-6678

Addressing this vulnerability is crucial, but it is not the only action that security leaders must take. Tiquet explained, “While patching is essential, additional steps are necessary. Security teams should monitor recent pipeline activity closely for any abnormalities and ensure that access control measures, such as Role-Based Access Control (RBAC), are enforced correctly. Furthermore, conducting a comprehensive review of user permissions and implementing strict segmentation between critical systems and development environments can help reduce potential harm.”

Guenther added, “While patching is vital, security teams need a multi-layered approach to safeguard their CI/CD environments from future exploitation:

• “Enhance pipeline security: Implement least privilege access controls and regularly audit pipeline permissions to minimize abuse risks. Isolate critical pipeline stages, particularly those linked to production.
• “Continuous monitoring: Deploy real-time monitoring for unusual pipeline activity, utilizing behavioral analytics to detect unauthorized or suspicious actions.
• “Secure credential management: Utilize dedicated secrets management tools to store sensitive credentials used in pipelines and enforce regular credential rotation to prevent attackers from leveraging compromised secrets.
• “Incident response and red teaming: Conduct regular red team exercises focusing on pipeline vulnerabilities and refine incident response plans to promptly address any compromises within DevOps environments.”