GitLab Issues Security Updates for Critical SAML Authentication Bypass Vulnerability

September 18, 2024

GitLab has introduced security patches to rectify a significant SAML authentication bypass flaw that is affecting self-managed deployments of GitLab Community Edition (CE) and Enterprise Edition (EE). SAML (Security Assertion Markup Language) is a single sign-on (SSO) authentication protocol allowing users to log in across various services using identical credentials. The vulnerability, cataloged as CVE-2024-45409, originates from problems in the OmniAuth-SAML and Ruby-SAML libraries that GitLab uses for SAML-based authentication.

The vulnerability happens when the SAML response from an identity provider (IdP) to GitLab contains a misconfiguration or has been tampered with. The flaw specifically deals with insufficient validation of key components in the SAML assertions, such as the extern_uid (external user ID), used to uniquely identify a user across different systems. An attacker can create a malicious SAML response that deceives GitLab into acknowledging them as authenticated users, bypassing SAML authentication and gaining access to the GitLab instance.

The CVE-2024-45409 flaw affects GitLab 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10, and all earlier releases of those branches. The vulnerability is resolved in GitLab versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10, where OmniAuth SAML has been upgraded to version 2.2.1 and Ruby-SAML to 1.17.0. "We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," GitLab cautioned in the bulletin.

No action is required for users of GitLab Dedicated instances on GitLab.com, as the issue only affects self-managed installations. For those unable to immediately upgrade to a secure version, GitLab recommends enabling two-factor authentication (2FA) for all accounts, and setting the SAML 2FA bypass option to "do not allow." While GitLab has not confirmed that the flaw was previously exploited, they did provide signs of attempted or successful exploitation in the bulletin, implying that malicious actors might already be exploiting the flaw.

GitLab was contacted to inquire if they have noticed active exploitation of CVE-2024-45409 in the wild, but a response is still awaited.

Latest News

• Zero-Click Vulnerabilities in macOS Calendar Risk iCloud Data Exposure
• Critical Remote Code Execution Vulnerability in VMware vCenter Server Patched by Broadcom
• Advanced Persistent Threat Group 'Void Banshee' Exploits Microsoft Zero-Day Vulnerabilities
• CISA Alerts on Windows Flaw Exploited by Void Banshee APT Group
• Urgent Call to Patch: Exploit Code for Critical Ivanti RCE Vulnerability Released