GitLab Vulnerability, Secure by Design Pledge, & Near Miss Supply Chain Attack

Hello, this week Jordan_Zebor is your editor looking at the notable security news for a critical GitLab Vulnerability, the CISA Secure by Design Pledge & a near miss Supply Chain Attack.

 

GitLab Pipeline Takeover Vulnerability

GitLab has recently disclosed a critical vulnerability (CVE-2024-6385) affecting its CI/CD pipeline functionality in both Community Edition (CE) and Enterprise Edition (EE) versions 15.8 to 17.1.1. This vulnerability, with a CVSS score of 9.6, allows authenticated attackers to trigger pipelines as other users under certain conditions, potentially compromising the security and integrity of CI/CD processes. The low privilege requirements prevent this vulnerability from receiving a <insert sarcasm here> "perfect 10" score in CVSS. Either way, the issue still falls under the qualitative severity of critical, meaning security teams should be assessing their risk ASAP. The flaw was identified through GitLab’s HackerOne bug bounty program and has been addressed in the latest security updates. I've not seen reports of active exploitation so hopefully defenders get some time to patch this issue before proof of concept / exploit code is released.

 

CISA Secure by Design Pledge

The CISA 'Secure by Design' initiative, launched in April 2023, aims to enhance product security by encouraging vendors to adopt measures like multi-factor authentication, reducing default passwords, and improving vulnerability management. F5 has committed to this pledge, reflecting its dedication to advancing security in its products.

F5 isn't starting from scratch, as we already adhere to many of the principles outlined in the CISA pledge. We have a strong track record in CVE vulnerability disclosure, ensure transparency and effective patching through Quarterly Security Notifications and our established vulnerability disclosure policy ensures the timely identification, assessment, and remediation of vulnerabilities, with clear communication channels for public disclosure. Additionally, iHealth enhances customers' ability to gather evidence of intrusions, helping organizations detect and respond to cybersecurity threats efficiently.

 

Python Ecosystem Near Miss Supply Chain Attack

JFrog's Security Research team discovered a critical security issue involving a leaked PyPI secret token within a public Docker container. PyPI (Python Package Index) is a repository for Python packages, widely used by developers to share and distribute code. The token, found 17 minutes after its commit, could have allowed attackers to inject malicious code into Python packages or insert malicious code into PyPI’s Warehouse code, potentially granting attackers backdoor access to manipulate popular packages. PyPI's security team promptly revoked the token, preventing potential damage and according to their transparent incident report, concluded that no malicious activity was detected. This near-miss underscores the severe risk of supply chain attacks if such credentials fall into malicious hands and highlights that scanning for secrets in source code is not enough; both source code and binary data need auditing, as critical data sometimes resides only in binary form.

Published Jul 15, 2024
Version 1.0
  • Thank you for this insightful information. About your sarcastic tag in the Gitlab chapter, if I switch mine, I still have in mind the horrible time we had not too long ago with all those critical CVE's about BIG-IP's management restAPI 😬

    Hopefully those days won't come back because if they do, that could impact the reputation of wib and heyhack (now integrated into F5) products too. Well, hopefully they're used in the dev pipeline prior to build release...