Vulnerabilities > CVE-2017-0882 - Information Exposure vulnerability in Gitlab
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
LOW Availability impact
LOW Summary
Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family | FreeBSD Local Security Checks |
NASL id | FREEBSD_PKG_5D62950F3BB511E793F7D43D7E971A1B.NASL |
description | GitLab reports : Information Disclosure in Issue and Merge Request Trackers During an internal code review a critical vulnerability in the GitLab Issue and Merge Request trackers was discovered. This vulnerability could allow a user with access to assign ownership of an issue or merge request to another user to disclose that user |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 100284 |
published | 2017-05-19 |
reporter | This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/100284 |
title | FreeBSD : gitlab -- Various security issues (5d62950f-3bb5-11e7-93f7-d43d7e971a1b) |
code |
|
Seebug
bulletinFamily | exploit |
description | #### Information Disclosure in Issue and Merge Request Trackers During an internal code review a critical vulnerability in the GitLab Issue and Merge Request trackers was discovered. This vulnerability could allow a user with access to assign ownership of an issue or merge request to another user to disclose that user's private token, email token, email address, and encrypted OTP secret. Reporter-level access to a GitLab project is required to exploit this flaw. This vulnerability is the result of a bug in the serialization of a user object and was introduced in GitLab 8.7.0. Please see the [issue](https://gitlab.com/gitlab-org/gitlab-ce/issues/29661) for more details. This issue has been assigned [CVE-2017-0882](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0882). #### Versions affected * 8.7.0 through 8.15.7 * 8.16.0 through 8.16.7 * 8.17.0 through 8.17.3 We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible. ### Post-Upgrade Steps Due to the nature of this vulnerability it is possible that sensitive user tokens have been cached by proxies or web browsers. We therefore recommend that administrators reset private tokens and incoming email tokens for all users. A rake task for performing token resets is included with this announcement. Encrypted One-Time Password (OTP) secrets may also have been leaked by the vulnerability. These secrets are encrypted, require the key for decrypting the secret, and cannot be used on their own without a copy of the user password, however we are still recommending that all users who utilize One-Time Passwords disable and then re-enable their OTP for all GitLab instances. This will reset the OTP secret. ### Rake Task for Resetting User Tokens After upgrading we recommended that all GitLab installations reset all user private tokens and email tokens. To do so please save the following rake task in the appropriate location. For Omnibus: `/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/reset_token.rake` For Source: `<gitlab_installation_dir>/lib/tasks/reset_token.rake` ``` # lib/tasks/reset_token.rake require_relative '../../app/models/concerns/token_authenticatable.rb' STDOUT.sync = true namespace :tokens do desc "Reset all GitLab user auth tokens" task reset_all: :environment do reset_all_users_token(:reset_authentication_token!) end desc "Reset all GitLab email tokens" task reset_all_email: :environment do reset_all_users_token(:reset_incoming_email_token!) end def reset_all_users_token(token) TmpUser.find_in_batches do |batch| puts "Processing batch starting with user ID: #{batch.first.id}" batch.each(&token) end end end class TmpUser < ActiveRecord::Base include TokenAuthenticatable self.table_name = 'users' def reset_authentication_token! write_new_token(:authentication_token) save!(validate: false) end def reset_incoming_email_token! write_new_token(:incoming_email_token) save!(validate: false) end end ``` Omnibus users would then run: ``` sudo gitlab-rake tokens:reset_all sudo gitlab-rake tokens:reset_all_email ``` Source users would run: ``` sudo -u git -H bundle exec rake tokens:reset_all RAILS_ENV=production sudo -u git -H bundle exec rake tokens:reset_all_email RAILS_ENV=production ``` The rake file can be deleted after this task finishes. #### Workarounds If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade. #### Securing via patch To temporarily patch just the critical vulnerability, change to the appropriate directory and apply the attached diff. Omnibus: ``` $ cd /opt/gitlab/embedded/service/gitlab-rails/ $ git apply <path_to_diff> $ sudo gitlab-ctl restart unicorn ``` Source: ``` $ cd <gitlab_installation_dir/ $ git apply <path_to_diff> ``` ``` diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index 1151555..857d907 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -129,7 +129,7 @@ class Projects::IssuesController < Projects::ApplicationController end format.json do - render json: @issue.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short]) + render json: @issue.to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short]) end end diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index 82f9b6e..677a8a1 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -308,7 +308,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController end format.json do - render json: @merge_request.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short]) + render json: @merge_request.to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short]) end end rescue ActiveRecord::StaleObjectError ``` #### Verifying the workaround 1. Browse to a project 2. Open the project's issue tracker 3. Create an issue and assign ownership of the issue to another user 4. View the returned JSON and verify that no private information such as tokens are included |
id | SSV:92805 |
last seen | 2017-11-19 |
modified | 2017-03-21 |
published | 2017-03-21 |
reporter | Root |
title | GitLab permission leak Vulnerability, CVE-2017-0882) |
References
- http://www.securityfocus.com/bid/97157
- http://www.securityfocus.com/bid/97157
- https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/
- https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/
- https://gitlab.com/gitlab-org/gitlab-ce/commit/43f5a2739dbf8f5c4c16a79f98e2630888f6b5d1
- https://gitlab.com/gitlab-org/gitlab-ce/commit/43f5a2739dbf8f5c4c16a79f98e2630888f6b5d1
- https://gitlab.com/gitlab-org/gitlab-ce/commit/a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b
- https://gitlab.com/gitlab-org/gitlab-ce/commit/a70346fc6530aa28a98e4aa4cf0f40e2c3bcef6b
- https://gitlab.com/gitlab-org/gitlab-ce/commit/cdf396f456472ef8decd9598daa8dc0097cd30c5
- https://gitlab.com/gitlab-org/gitlab-ce/commit/cdf396f456472ef8decd9598daa8dc0097cd30c5
- https://gitlab.com/gitlab-org/gitlab-ce/issues/29661
- https://gitlab.com/gitlab-org/gitlab-ce/issues/29661