November 3, 2021

A critical, unauthenticated, remote code execution GitLab bug remains exploitable, with over 50% of deployments remaining unpatched after it was fixed on April 14, 2021.

The vulnerability tracked as CVE-2021-22205 with a CVSS v3 score of 10.0, allows an unauthenticated, remote attacker to execute arbitrary commands as a “git’ user. This vulnerability allows the attacker to gain full access to the repository, including deleting, modifying, and stealing source code.

Hackers first exploited internet-facing GitLab servers in June 2021 to create new users and grant them admin privileges, and then exploited a working exploit released on GitHub on June 4, 2021, to abuse the vulnerable ExifTool component.

Attackers do not need to resort to authentication or the use of a CSRF token or even a valid HTTP endpoint to exploit.

Since the exploitation continues to this day, the researchers at Rapid7 decided to draw attention to the number of unpatched systems in order to determine the extent of the underlying problem.

In a report published by Rapid7, at least 50% of the 60,000 internet-facing GitLab installations they found were not patched against the critical RCE vulnerability that had been fixed six months earlier.

In addition, another 29% may or may not be vulnerable, with analysts failing to extract the version string for those servers.

Administrators need to upgrade to one of the following versions to fix the bug:

• 13.10.3
• 13.9.6
• 13.8.8

To keep GitLab instances safe from exploitation, users should check its response to POST requests that aim to exploit the incorrect handling of image files by ExifTool. The patched versions still allow someone to contact ExifTool, but the response to the request should be a rejection via an HTTP 404 error.

For more information, read the original story in BleepingComputer.