A security flaw has been detected within the self-hosted servers of GitLab that threat actors have taken advantage of. Threat actors exploited the security flaw to gather botnets and execute distributed denial-of-service attacks (DDoS), with some above 1Tbps.
GitLab patched the said vulnerability, dubbed CVE-2021-22205, back in April 2021; however, threat actors have exploited it by launching DDoS attacks.
The vulnerability was detected by a security analyst and reported to GitLab through its bug bounty program. The security flaw affects ExifTool – a library for removing metadata from images on web servers and is also one of GitLab’s features. ExifTool is vital for the GitLab Community Edition (CE) and Enterprise Edition (EE). These two editions are the commercial and open-source versions of GitLab that clients can install on their servers.
According to another report, a way was found to abuse the ExifTool that handles the image uploads for DjVu file format so scanned documents can control the whole GitLab web server underneath.
The security flaw exploitation for attacks started last June after analysts have spotted users with random names being added to the compromised GitLab servers.
Threat actors allegedly generated random users to allow them to control the compromised systems remotely.
It is unclear why the attacks are being launched, but reports say that the compromised servers are part of a botnet containing thousands of compromised GitLab instances to launch large DDoS attacks.
Botnet operators seem to exploit companies that do not patch their servers and software, similar to what happened to GitLab’s in-house servers. Reports reveal over 60,000 GitLab servers connected online, and around half of these servers are still unpatched against the CVE-2021-22205 ExifTool exploit.
It is important to note that the ExifTool vulnerability within GitLab can also affect other web applications that the tool will be deployed. Therefore, there can be additional exploitation to be reported, and that other types of web applications may also need to be patched.
In conclusion, security experts highlight that companies may prevent potential attacks by blocking the upload of DjVu files within the server level, especially if companies are not required to handle this particular file type.