GitLab recently announced the release of security updates to fix 17 vulnerabilities. One of these vulnerabilities was considered a critical flaw, potentially allowing a malicious actor to process a pipeline job as a random user. This issue (CVE-2024-6678) is considered a 9.9 out of 10 for its CVSS score.
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, states, “The vulnerability GitLab has patched (CVE-2024-6678) is a serious one, allowing attackers to run pipeline jobs as any user, which could lead to unauthorized code deployment or even tampering with sensitive data. Given its critical CVSS score of 9.9, this is not something security teams can afford to overlook, even though there’s no evidence of active exploitation at this time.”
The risks of CVE-2024-6678
Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, remarks, “CVE-204-6678 presents a serious risk, particularly due to its ability to allow attackers to run pipeline jobs as arbitrary users, leading to potential privilege escalation, data exfiltration, and software supply chain compromise. While this vulnerability has not been observed in the wild yet, it bears strong similarities to recent high-profile attacks and tactics used by Advanced Persistent Threats (APTs) and cybercriminal groups.”
Guenther elaborates on the risks, noting two main concerns.
Software supply chain compromise
“As an example, the Codecov breach (2021) exposed the danger of CI/CD pipeline compromise. Attackers modified a script in Codecov’s pipeline, enabling them to exfiltrate environment variables, credentials, and sensitive data. This attack had ripple effects, affecting multiple downstream organizations that relied on compromised builds.
“APTs such as APT29 (Cozy Bear) and Lazarus Group target these environments for long-term access and data manipulation. In the case of CVE-2024-6678, exploiting pipeline permissions could lead to widespread compromise of production software.”
Privilege escalation and data exfiltration
“The Codecov breach demonstrated how attackers exploited CI/CD pipeline access to exfiltrate credentials and escalate privileges, similar to what could be done through CVE-2024-6678. Groups like FIN11 or APT28 (Fancy Bear) could use this vulnerability to gain unauthorized access, pivot within networks, and exfiltrate sensitive data.”
Patching CVE-2024-6678
Patching this vulnerability is important, but it is not the only measure security leaders must take. Tiquet explains, “Patching is essential, but it’s not the only step. Security teams should also keep a close eye on recent pipeline activity for anything unusual and ensure that access control measures, like Role-Based Access Control (RBAC), are properly enforced. Additionally, performing a thorough audit of user permissions and implementing strict segmentation between critical systems and development environments can help mitigate potential damage.”
Guenther adds, “While patching is critical, security teams must adopt a multi-layered approach to protect their CI/CD environments from future exploitation:
- “Harden pipeline security: Implement least privilege access controls and audit pipeline permissions regularly to minimize the risk of abuse. Isolate critical pipeline stages, particularly those tied to production.
- “Continuous monitoring: Deploy real-time monitoring for unusual pipeline activity, leveraging behavioral analytics to detect any unauthorized or suspicious actions.
- “Secure credential management: Use dedicated secrets management tools to store sensitive credentials used in pipelines, and enforce regular credential rotation to prevent attackers from leveraging compromised secrets.
- “Incident response and red teaming: Regularly conduct red team exercises focused on pipeline vulnerabilities and refine your incident response plans to quickly address any compromises within DevOps environments.”