What is the CVE-2024-45409 vulnerability in GitLab?

CVE-2024-45409 is a critical SAML authentication bypass vulnerability in self-hosted instances of GitLab Community Edition (CE) and Enterprise Edition (EE), with a CVSS score of 10. The flaw allows attackers to bypass SAML authentication by crafting a malicious SAML response.

Which versions of GitLab are affected by CVE-2024-45409?

The affected versions are GitLab CE/EE 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10, and all earlier versions of those branches.

How can attackers exploit CVE-2024-45409?

Attackers can exploit CVE-2024-45409 by crafting a malicious SAML response, tricking GitLab into recognizing them as authenticated users, and bypassing SAML authentication. The flaw arises from inadequate validation of key components in SAML assertions, like the extern_uid.

Which versions of GitLab contain the patch for CVE-2024-45409?

The vulnerability has been patched in GitLab CE/EE versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10.

What steps should GitLab users take if they cannot upgrade immediately?

Users who cannot upgrade immediately should enable two-factor authentication (2FA) for all accounts and set the SAML 2FA bypass option to 'do not allow' as a mitigation measure.

What are potential signs of exploitation of CVE-2024-45409?

Potential signs of exploitation include errors related to RubySaml::ValidationError (unsuccessful attempts), new or unusual extern_uid values in authentication logs, multiple extern_uid values for a single user, SAML authentication from unfamiliar IP addresses, and missing or incorrect information in SAML responses.

Advisory

GitLab releases patches to fix a critical SAML authentication bypass in Gitlab Community and Enterprise

published: Sept. 18, 2024

Take action: If you are running GitLab CE/EE update your servers ASAP, or enforce MFA with no SAML MFA bypass. While this attack is primarily focused on SAML authentication (Signle Sign On), most self hosted GitLab instances are either SAML authenticated or there is some test config to check for SAML, so there is ample attack surface for hacker to exploit. Patch ASAP, don't delay.

Learn More

GitLab has released security updates to fix a critical SAML authentication bypass vulnerability, tracked as CVE-2024-45409 (CVSS score 10).

The flaw affects self-hosted/self-managed instances of GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability originates from issues in the OmniAuth-SAML and Ruby-SAML libraries, which GitLab uses for SAML-based single sign-on (SSO) authentication.

The vulnerability occurs when a SAML response from an identity provider (IdP) contains a misconfiguration or is maliciously tampered with. Specifically, the flaw involves inadequate validation of key components in SAML assertions, such as the extern_uid (external user ID), which uniquely identifies a user across systems. An attacker can exploit this vulnerability by crafting a malicious SAML response, tricking GitLab into recognizing them as authenticated users, thereby bypassing SAML authentication and gaining unauthorized access.

Affected Versions:

GitLab CE/EE versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10, and all earlier versions of those branches.

Patched Versions:

The vulnerability has been patched in GitLab CE/EE versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10 by upgrading OmniAuth SAML to version 2.2.1 and Ruby-SAML to 1.17.0.

Gitlab advises users to patch their Gitlab CE/EE instances immiediately. For users unable to upgrade immediately, GitLab recommends enabling two-factor authentication (2FA) for all accounts and setting the SAML 2FA bypass option to "do not allow."

GitLab has reported potential signs of exploitation attempts, which may include:

Errors related to RubySaml::ValidationError (unsuccessful attempts),
New or unusual extern_uid values in authentication logs (successful attempts),
Missing or incorrect information in SAML responses,
Multiple extern_uid values for a single user (indicating potential account compromise),
SAML authentication from unfamiliar or suspicious IP addresses.

In the advisory GitLab has provided example logs for successful and unsuccessful exploitation attempts to aid users in detecting potential attacks. While there are no confirmed reports of active exploitation, GitLab has acknowledged signs that malicious actors may be attempting to exploit this vulnerability.

Update - as of 6th of October 2024, a technical analysis and PoC exploit code is published about this flaw.

GitLab releases patches to fix a critical SAML authentication bypass in Gitlab Community and Enterprise

Read More
Command injection flaw in OpenAI Codex CLI enables …
Critical flaw in Fluent Bit logging/metrics tool puts …
Critical vulnerabilities in Gogs open-source Git service
Critical remote code execution flaw reported in pgAdmin4
Systemic Design Flaw in MCP Protocol Exposes AI …