GitLab patched 17 bugs, including a critical flaw with a CVSS score of 9.9 that could let an attacker trigger a pipeline as an arbitrary user, leading to privileged escalation, data exfiltration, and a software supply chain compromise.
Security pros consider flaws in a CI/CD pipeline serious because the pipeline just doesn’t automate how developers create, test, and deploy applications, it helps teams find bugs early in the development process, which helps them turn out higher quality software.
Nearly 30,000 companies worldwide use GitLab, with about 44% of them from the United States.
In its Sept. 11 advisory, GitLab said the critical flaw — CVE-2024-6678 — was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7; from 17.2 prior to 17.2.5; and from 17.3 prior to 17.3.2.
Callie Guenther, senior manager of cyber threat research at Critical Start, said while this vulnerability has not been observed in the wild yet, it bears strong similarities to recent high-profile attacks and tactics used by advanced persistent threat (APT) groups and cybercriminal gangs.
Guenther, an SC Media columnist, pointed to the CodeCov breach in 2021 that exposed the danger of a CI/CD pipeline compromise. Attackers modified a script in CodeCov’s pipeline, which let them exfiltrate environment variables, credentials, and sensitive data. This attack had ripple effects, affecting multiple downstream organizations that relied on compromised builds.
“APTs such as APT29 (Cozy Bear) and Lazarus Group target these environments for long-term access and data manipulation,” said Guenther. “In the case of CVE-2024-6678, exploiting pipeline permissions could lead to widespread compromise of production software.”
Evan Dornbush, a former NSA cybersecurity specialist, explained that this bug is particularly insidious for three reasons. First, an attacker can access all of the company’s source code, resulting in loss of intellectual property. Second, an attacker can introduce his/her own malicious code into the organization, resulting in the product being a source of vulnerability to the product's users. Finally, an attacker can compel a vulnerable server to run malicious programs, resulting in the compromise of the underlying operating system.
“The attacker does not need to be part of your organization,” said Dornbush. “If accounts are shared between GitLab instances, an attacker from one organization — either a legitimate account or a compromised account — can be used to access another. Or you could be at risk of a supply chain infection if your organization pulls in code from external systems. In these scenarios, security teams will need to do more than patch. They will also need to ensure their counterparties are patched and encourage those counterparties to talk to their counterparties."
