Possible Gitlab Hack
Today I noticed a new and unknown user on our company's Gitlab instance: "johnyj12345". We immediatly took down our instance as it seems as if that Johny was able to extract our secrets. You should probably do so, too.
Published (modified ) by Philipp Trommler. This article has also been translated to: de.
Searching the web for the
username (attention: Google link!)
reveals that many self-hosted Gitlab instances are affected. The publicly
visible procedure is always the same: Johny creates one or more issues that are
linked with each other and at the end of the link cascade there's either an
attached file or a link to a file which holds Gitlab's secrets.yml.
From the web search it seems like the hack started on Saturday, though that may
be a false conclusion. In any case, you should probably take down your Gitlab
instance if you're affected since the secrets.yaml contains Gitlab's base key
and the database encryption key which should better be private AFAIK. This may
or may not be an immediate attack surface, but better safe than sorry,
especially since the files can be easily found via Google.
We're currently looking for a sane and safe way of rotating the keys within that file. Any help would be appreciated.
Follow up¶
According to their official forum the attack used a known bug (CVE-2020-10977) that has already been fixed in version 12.9.1 released in March this year. We, unlike many others, had already installed the fix, thus the link in the issue created by Johny pointed nowhere.
Better subscribe to their Atom feed in order to maintain the smallest possible attack surface for hackers. Alas, they don't provide a release specific one.
Filed under Security. Tags: git, gitlab, hacking, web.
Want to comment on this article? Write me at blog [at] philipp-trommler [dot] me!