GitLab Arbitrary File Read Vulnerability

22/06/2020 14:00:34


Description

Introduction to Related Components
GitLab is an open source project for repository management system. It uses Git as a code management tool and builds a web service based on Git. GitLab is a web-based Git-repository manager tool developed by GitLab Inc., which uses MIT license, and has wiki and issue tracking functions.

Analysis
When an issue moves between GitLab projects, the UploadsRewriter module will move the local issue and the files referenced by the issue to the new project. Part of the code for performing this operation is as follows:



This part of the code does not place any directory restrictions on the files referenced by the issue, so there is a directory traversal vulnerability. An arbitrary file can be copied from the GitLab server to a new issue by exploiting this directory traversal vulnerability. We can search for file reference by using this:



This regular expression is used to match the files referenced in the issue. Although there are certain restrictions on the file path referenced here, it does not solve the problem of directory traversal, resulting in an attacker who can exploit the vulnerability to download arbitrary files from the server host.

Affected Versions
GitLab GitLab EE >=8.5, <=12.9
GitLab GitLab CE >=8.5, <=12.9

Timeline
March 26, 2020 GitLab released an update patch.
April 28, 2020 The vulnerability details are disclosed.
May 7, 2020 Sangfor FarSight Labs released alerts and solutions.

Solution

Detection Method
Use the following command to check the current GitLab version:

cat /opt/gitlab/embedded/service/gitlab-rails/VERSION

If it is confirmed that the current version is within the affected range, there is a security risk that mentioned above.

Remediation Solution
The official has fixed the above vulnerability in the latest version of GitLab, users can download and upgrade the software to the latest version from the official website.

Link: https://packages.gitlab.com/gitlab/gitlab-ce

Sangfor Solution
For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cloud WAF has automatically updated its database in the cloud. Those users are already protected from this vulnerability without needing to perform any additional operations.

Sangfor Cyber Command is capable of detecting attacks which exploit this vulnerability and can alert users in real time. Users can correlate Cyber Command to Sangfor NGAF to block an attacker's IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 for any security issues you may have. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2020 SANGFOR TECHNOLOGIES. ALL RIGHTS RESERVED.