Tens of thousands unpatched GitLab servers under attack via CVE-2021-22205
Attackers are actively exploiting an “old” vulnerability (CVE-2021-22205) to take over on-premise GitLab servers, Rapid7 researcher Jacob Baines warns. The additional bad news is that at least half of the 60,000 internet-facing GitLab installations the company detects are not patched against this issue.
What are the attackers doing with these servers? Damian Menscher, a security reliability engineer responsible for DDoS defense at Google, says that some of them are used to generate DDoS attacks:
A botnet of thousands of compromised #GitLab instances (exploited via CVE-2021-22205) is generating DDoS attacks in excess of 1 Tbps. Please patch your servers!
— Damian Menscher (@menscher) November 4, 2021
About CVE-2021-22205
Patched by GitLab in April 2021, the vulnerability stems from the service’s web interface improper validation of image files passed to the service’s embedded version of ExifTool, and allows attackers to achieve remote code execution without having to authenticate to the server first.
“There are multiple recently published public exploits for this vulnerability, and it reportedly has been exploited in the wild since June or July of 2021. We expect exploitation to increase as details of the unauthenticated nature of this vulnerability become more widely understood,” Baines noted.
Exploitation prevention and incident response
CVE-2021-22205 affects all versions of both GitLab Enterprise Edition (EE) and GitLab Community Edition (CE) starting from 11.9, so any of the later versions will do.
Those who have failed to upgrade their GitLab instances are advised to do so immediately. The are also urged to refrain from making it an internet facing service.
“If you need to access your GitLab from the internet, consider placing it behind a VPN,” Baines advised.
Rapid7 has also published a technical analysis and instructions on how organizations can check whether their GitLab server(s) have been compromised and whether they are vulnerable in the first place.
UPDATE (November 5, 2021, 01:00 a.m. PT):
There’s now an Metasploit module for CVE-2021-22205.