{"id":18670,"date":"2022-04-05T01:10:04","date_gmt":"2022-04-05T09:10:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/04\/05\/news-12403\/"},"modified":"2022-04-05T01:10:04","modified_gmt":"2022-04-05T09:10:04","slug":"news-12403","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/04\/05\/news-12403\/","title":{"rendered":"GitLab issues security updates; watch out for hard coded passwords"},"content":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Tue, 05 Apr 2022 08:56:14 +0000<\/strong><\/p>\n<p>GitLab has issued several critical security updates, with users of the version control software urged to upgrade their installations as soon as possible. One of the fixes is for a hard coded password issue.<\/p>\n<h2>What is distributed version control?<\/h2>\n<p>Distributed version control is a way for an organisation\u2019s codebase to be <a href=\"https:\/\/en.wikipedia.org\/wiki\/Distributed_version_control#Distributed_vs._centralized\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">mirrored on the devices<\/a> of anyone who needs access. Where people occasionally become confused is when they see a number of services using the word \u201cGit\u201d in their name. They&#8217;re not all the same thing, and we shouldn&#8217;t unnecessarily worry that one issue affects lots of different services due to naming conventions.<\/p>\n<h2>Are GitHub and GitLab the same thing?<\/h2>\n<p><a href=\"https:\/\/www.zdnet.com\/article\/github-vs-gitlab-the-key-differences\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">They are not<\/a>! If you\u2019re reading about this update, you\u2019re reading about an update for users of GitLab specifically. GitHub <em>isn\u2019t<\/em> affected by this, and so users shouldn\u2019t worry about missing security updates for hard-coded passwords. Hub and Lab are similar, but <a href=\"https:\/\/theinfinitekitchen.com\/faq\/question-are-gitlab-and-github-the-same-company\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">most definitely not the same<\/a>.<\/p>\n<h2>What\u2019s happened with GitLab?<\/h2>\n<p>There\u2019s been a critical security release, addressing multiple issues. No fewer than 17 elements have been addressed, with one rated critical, two rated high, and nine rated medium. Here\u2019s the rundown of the issue rated critical from their release page:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p><em><strong>Static passwords inadvertently set during OmniAuth-based registration<\/strong><\/em><\/p>\n<p><em>A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE\/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:N, 9.1). It is now mitigated in the latest release and is assigned CVE-2022-1162.<\/em><\/p>\n<p><em>This vulnerability has been discovered internally by the GitLab team.<\/em><\/p>\n<p><em>Note: We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we\u2019re taking precautionary measures for our users\u2019 security.<\/em><\/p>\n<\/blockquote>\n<h2>What are hardcoded passwords, and why are they bad?<\/h2>\n<p>Hardcoded passwords, also known as embedded credentials, make using the software or device they\u2019re attached to a risky business. If your cheap, off the shelf router has the same single password in use for every single device, that\u2019s bad. Someone who owns one of these devices now knows the password for all of those devices. If your forum software has a single, unchangeable password buried in the code, that\u2019s bad. Somebody with dubious intentions may well have the keys to the kingdom for all versions of that forum.<\/p>\n<p>It\u2019s a similar story here &#8211; with a few caveats. According to <a href=\"https:\/\/www.theregister.com\/2022\/04\/01\/gitlab_security_advisory\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">The Register<\/a>, accounts created through <a href=\"https:\/\/github.com\/omniauth\/omniauth\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">OmniAuth<\/a> using fewer than 21 characters for the password were vulnerable to the default password. A <a href=\"https:\/\/about.gitlab.com\/releases\/2022\/03\/31\/critical-security-release-gitlab-14-9-2-released\/#script-to-identify-users-potentially-impacted-by-cve-2022-1162\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">script has also been released<\/a> which, in GitLab\u2019s words, \u201c&#8230;can be used by self-managed instance admins to identify user accounts potentially impacted by <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-1162\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE-2022-1162<\/a>\u201d.<\/p>\n<h2>Time to update<\/h2>\n<p>If you think you may be impacted by this, make haste and check out the list of updates. You don\u2019t want to leave an easy way in for attackers to exploit your business.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/privacy-2\/2022\/04\/gitlab-issues-security-updates-watch-out-for-hard-coded-passwords\/\">GitLab issues security updates; watch out for hard coded passwords<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/privacy-2\/2022\/04\/gitlab-issues-security-updates-watch-out-for-hard-coded-passwords\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Tue, 05 Apr 2022 08:56:14 +0000<\/strong><\/p>\n<p>We take a look at several security updates released by GitLab, the most important of which addressed hard coded passwords.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/privacy-2\/2022\/04\/gitlab-issues-security-updates-watch-out-for-hard-coded-passwords\/\">GitLab issues security updates; watch out for hard coded passwords<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11810,25601,25602,11831,14244,5897,11304],"class_list":["post-18670","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cve","tag-gitlab","tag-hard-coded","tag-password","tag-patch","tag-privacy","tag-update"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18670","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18670"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18670\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18670"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18670"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18670"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}