GitLab servers are being exploited in DDoS attacks in excess of 1 Tbps
Image: GitLab
Catalin Cimpanu November 4, 2021

GitLab servers are being exploited in DDoS attacks in excess of 1 Tbps

GitLab servers are being exploited in DDoS attacks in excess of 1 Tbps

Threat actors are exploiting a security flaw in GitLab self-hosted servers to assemble botnets and launch gigantic distributed denial of service (DDoS) attacks, with some in excess of 1 terabit per second (Tbps).

The DDoS attacks, disclosed today by Damian Menscher, a Security Reliability Engineer at Google Cloud responsible for Google’s DDoS defenses, are exploiting CVE-2021-22205, a vulnerability that GitLab patched back in April 2021.

Attacks target GitLab’s metadata removal feature

Discovered by William Bowling and reported to GitLab via its bug bounty program, the vulnerability impacts ExifTool—a library used to remove metadata from images uploaded on web servers.

Under the hood, GitLab uses ExifTool inside GitLab Community Edition (CE) and Enterprise Edition (EE), the open-source and commercial versions of its service that companies can install on their own servers—for scenarios where they want to handle proprietary code in secure environments and can’t use GitLab’s cloud-based service.

In a report filed via HackerOne, Bowling said he discovered a way to abuse how ExifTool handles uploads for DjVu file format used for scanned documents to gain control over the entire underlying GitLab web server.

Attacks exploiting this vulnerability began in June this year, according to Italian security firm HN Security, who first reported signs of exploitation last week.

At the time, HN security researcher Piergiovanni Cipolloni said the company began an investigation after spotting randomly-named users being added to compromised GitLab servers, users that were most likely created by the attackers to allow remote control of the hacked systems.

HN-GitLab-users
Image: HN Security

While the purpose of these attacks remained unclear for HN Security, yesterday, Google’s Menscher said the hacked servers were part of a botnet comprising of “thousands of compromised GitLab instances” that was launching large-scale DDoS attacks.

Around 30,000 GitLab servers remain unpatched

Just as seen in many other previous cases, the botnet operators appear to be exploiting the tardiness of companies across the world when it comes to patching their software, in this case, in-house GitLab servers.

According to a Rapid7 analysis published on Monday, there are more than 60,000 GitLab servers connected to the internet, of which around half still remain unpatched for the CVE-2021-22205 ExifTool exploit.

Public proof-of-concept code for this vulnerability has been available since June, around the same time that HN spotted the first attacks.

Of note is that the ExifTool vulnerability at the core of the GitLab issue, tracked independently as CVE-2021-22204, might also impact other types of web applications where the tool might have been deployed, so it may be that additional exploitation is also likely reported, and that other types of web apps might need patching as well.

The simplest way to prevent attacks would be to block the upload of DjVu files at the server level, if companies don’t need to handle this file type.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.