https://blog.philipp-trommler.me/en/2020-07-20T22:17:00+02:002020-07-13T14:05:00+02:002020-07-20T22:17:00+02:00Philipp Trommlertag:blog.philipp-trommler.me,2020-07-13:/en/posts/2020/07/13/security-possible-gitlab-hack-johnyj12345/

<p>Today I noticed a new and unknown user on our company's Gitlab instance: "johnyj12345". We immediatly took down our instance as it seems as if that Johny was able to extract our secrets. You should probably do so, too.</p>

<p>Searching the web <a href="https://www.google.com/search?q=johnyj12345">for the username</a> (attention: Google link!) reveals that many self-hosted Gitlab instances are affected. The publicly visible procedure is always the same: Johny creates one or more issues that are linked with each other and at the end of the link cascade there's either an attached file or a link to a file which holds Gitlab's <code>secrets.yml</code>.</p> <p>From the web search it seems like the hack started on Saturday, though that may be a false conclusion. In any case, you should probably take down your Gitlab instance if you're affected since the <code>secrets.yaml</code> contains Gitlab's base key and the database encryption key which should better be private AFAIK. This may or may not be an immediate attack surface, but better safe than sorry, especially since the files can be easily found via Google.</p> <p>We're currently looking for a sane and safe way of rotating the keys within that file. Any help would be appreciated.</p> <h3 id="follow-up">Follow up<a class="headerlink" href="#follow-up" title="Permanent link">&para;</a></h3> <p>According to <a href="https://forum.gitlab.com/t/security-many-selfhosted-instances-probably-hacked-by-johnyj12345/40135/3">their official forum</a> the attack used <a href="https://hackerone.com/reports/827052">a known bug</a> (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10977">CVE-2020-10977</a>) that has already been fixed in <a href="https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/">version 12.9.1 released in March</a> this year. We, unlike many others, had already installed the fix, thus the link in the issue created by Johny pointed nowhere.</p> <p>Better subscribe to their <a href="https://about.gitlab.com/atom.xml">Atom feed</a> in order to maintain the smallest possible attack surface for hackers. Alas, they don't provide a release specific one.</p>