Philipp Trommler's Blog

Possible Gitlab Hack

Today I noticed a new and unknown user on our company's Gitlab instance: "johnyj12345". We immediatly took down our instance as it seems as if that Johny was able to extract our secrets. You should probably do so, too.

Published (modified ) by Philipp Trommler. This article has also been translated to: de.

Searching the web for the username (attention: Google link!) reveals that many self-hosted Gitlab instances are affected. The publicly visible procedure is always the same: Johny creates one or more issues that are linked with each other and at the end of the link cascade there's either an attached file or a link to a file which holds Gitlab's secrets.yml.

From the web search it seems like the hack started on Saturday, though that may be a false conclusion. In any case, you should probably take down your Gitlab instance if you're affected since the secrets.yaml contains Gitlab's base key and the database encryption key which should better be private AFAIK. This may or may not be an immediate attack surface, but better safe than sorry, especially since the files can be easily found via Google.

We're currently looking for a sane and safe way of rotating the keys within that file. Any help would be appreciated.

Follow up

According to their official forum the attack used a known bug (CVE-2020-10977) that has already been fixed in version 12.9.1 released in March this year. We, unlike many others, had already installed the fix, thus the link in the issue created by Johny pointed nowhere.

Better subscribe to their Atom feed in order to maintain the smallest possible attack surface for hackers. Alas, they don't provide a release specific one.

Filed under Security. Tags: git, gitlab, hacking, web.

Want to comment on this article? Write me at blog [at] philipp-trommler [dot] me!

Articles from blogs I follow around the net

Fuzz Week 2020
via Gamozo Labs Blog, July 12, 2020

Summary

Colorado's Police Reform Law
via /dev/lawyer, July 8, 2020

first-read highlights

Extra commas in a CSV
via BASHing data, July 8, 2020

How to safely delete just the excess commas

Generated by openring