Update GitLab to address Workhorse vulnerability

This message is intended for U-M IT staff who are responsible for university systems running GitLab.

Summary

This vulnerability in GitLab allows for remote command execution (RCE) and is being actively exploited by threat actors. A vendor-supplied update to address this vulnerability was made available several months ago, and must be applied immediately.

Problem

GitLab Community Edition (CE) or Enterprise Edition (EE) in affected versions does not properly validate image files passed to a file parser which can result in RCE. Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file.

Threats

There has been recent active exploitation of vulnerable GitLab instances.

Affected Versions

This vulnerability affects the following versions of GitLab:

  • 11.9.x-13.8.7
  • 13.9.0-13.9.5
  • 13.10.0-13.10.2

Action Items

There are three action items required for this vulnerability:

  • Update systems to a non-affected version immediately.
  • Check systems that were running an affected version of GitLab for possible compromise and contact [email protected] if you believe that systems may have been compromised. When checking systems, make sure to check for:
    • Check for unexpected listening network services
    • Check for unexpected GitLab user accounts and admin accounts (especially those with @gmail.com addresses)
    • Check for unexpected processes or services
    • Check for unexpected network connections to non-UM hosts
  • Ensure that CrowdStrike Falcon is running on your university systems. If you need assistance installing or checking CS Falcon, contact your unit's Falcon admin or Security Unit Liaison (SUL).

Technical Details

GitLab Workhorse passes any files with the extensions jpg|jpeg|tiff through to ExifTool to remove any non-whitelisted tags. The ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file. The result is that arbitrary code inserted in certain files can be executed on the affected system. 

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

In general, the best protection for your systems is to keep your software and apps up-to-date and to be sure CrowdStrike Falcon is installed on all university systems in your unit.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

References