GitLab Fixes Security Flaw That Lets Attackers Run Pipeline Jobs – DevOps.com

GitLab is urging users to upgrade the latest versions of GitLab Community and Enterprise editions, which fix a critical security flaw that allow bad actors to run pipeline a pipeline as another user.

The widely used web-based Git repository this week released versions 17.1.2, 17.0.4 and 16.11.6, which included a range bug and security fixes in both editions. The other vulnerabilities were rated as medium or low in their severity levels, but one – tracked as CVE-2024-6385 – was given a CVSS rating of 9.6 out of 10.

The security flaw affects Community and Enterprise edition versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2. The vulnerability “allows an attacker to trigger a pipeline as another user under certain circumstances,” Rohit Shambhuni, staff application security engineer at GitLab, wrote in a security notice.

Shambhuni didn’t detail the circumstances needed to allow such an attack.

However, Contrast Security CISO David Lindner said this vulnerability is something administrators need to take notice of, and heed GitLab’s advice to upgrade immediately.

“This is REALLY bad, as it effectively turns off access controls for running pipelines, which is the lifeblood of moving software from development to production,” Lindner wrote in an email. “This vulnerability could allow unauthorized users to execute pipeline jobs as any other user, which in turn could enable attackers to run malicious code, access sensitive data and compromise software integrity.”

Ray Kelly, a Fellow at Synopsys Software Integrity Group, said that given the fast pace in the SecDevOps world, “any mention of a vulnerability in pipeline functionality can certainly make the hairs on your neck stand up. Once a pipeline is compromised, software can be altered with malware, backdoors, or used to steal private information from organizations.”

All of that is difficult to detect, with security scans typically run earlier in the software development lifecycle, Kelly said. With recent supply-chain breaches, organizations need to patch flaws immediately to keep bad actors from compromising their software. In addition, running security scans in the pipeline can help detect issues before they’re deployed.

A Foundation for CI/CD

GitLab pipelines are key parts of a developer’s autonomous continuous integration and continuous deployment (CI/CD) process, driving software development through its multiple steps, from building to test to deploying code. According to GitLab, “Pipelines are comprised of jobs, which define what will be done, such as compiling or testing code, as well as stages that spell out when to run the jobs. An example would be running tests after stages that compile the code.”

They’re important for many of GitLab’s 30 million users, which include such high-profile companies as Lockheed Martin and Boeing in the aerospace field, French multinational Thales, global management consulting service Booz Allen Hamilton and General Dynamics Information Technology, an IT service management firm.

The fix for the security flaw comes less than a month after GitLab released new versions for Community and Enterprise editions to fix a similar vulnerability, which is tracked as CVE-2024-5655 and also allows an attacker to run a pipeline as another user. That flaw also came with a CVSS severity rating of 9.6.

Code Repositories as Targets

The push to rapidly such security flaws is driven in part by the increasing focus cybercriminals are taking to target code repositories like GitLab, GitHub, Python Package Index (PyPI), npm and – in the ever-expanding generative AI space – Hugging Face.

Such repositories not only hold a lot of information, but they’re an avenue for bad actors in software supply-chain attacks, who try to insert unauthorized code into the CI/CD pipeline to have it included in applications that then reach downstream IT environments. This can have wide-ranging effects, as shown by the SolarWinds incident from 2020, when hackers deployed malicious code into the company’s Orion IT monitoring and management software.

“Code repositories have become a prime target for threat actors targeting credential theft and supply chain attacks,” according to a blog post in March by cybersecurity firm SentinelOne. “Git repositories can contain not only proprietary code but also sensitive credentials like API keys, passwords, and cryptographic keys.”

Researchers with cybersecurity firm Apiiro in a report in February wrote about a repo confusion attack that affected more than 100,000 GitHub repositories that played out “when unsuspecting developers use repositories that resemble known and trusted ones but are infected with malicious code.”

Pushing for Secure Development

CISA and other federal security and law enforcement agencies have been urging organizations and programmers to focus on security in every step of the development, a cornerstone of the White House’s Secure By Design initiative. It’s an effort aimed at not only creating more secure code but also shifting the responsibility for software security from customers to developers.

As part of the program, CISA and the FBI this week issued an alert pushing tech companies to eliminate command injection flaws in operating systems, which enable threat actors to remotely execute code on devices at the network edge.

“OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command,” the agencies wrote. “Despite this finding, OS command injection vulnerabilities … are still a prevalent class of vulnerability.”