Security: many selfhosted instances probably hacked by 'johnyj12345'

There is a Hack which seems to affect a lot of selfhosted Gitlab Instances with enabled “self-registration”.

I have the exact same Issue as described in the following link.
If you google the username, you can find public repositories which are also hacked, all at the same day (like mine). Because these Repositories and instances are public, they show up in Google.
But also non public repositories are affected (like mine and the author of the blog article)

The hack aims to access the file /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml with a trick by moving a ticket to another project.

The question is: Was it successful???
The created ticket content in my instance looks like the following:

But If i manuall follow the link, by clicking the link, i get a 404 page.
This is a good sign, right?
I have seen other instances (mentioned earlier), where you could really download a secrets.yml filled with the correct looking typical content. Of cause i don’t know if this was the actual real content… (but i would guesss).

Despite from that… How can we refresh the secrets, so that the old ones are invalid?

For all others out there: Have a look for newly created user accounts, two new projects and one moved ticket! As i have seen so far, they are all named the same (projects ‘test8’ and ‘test9’, ticket ‘issue1’ from user ‘johnyj12345’)

What have i done: i disabled my instance, disabled self account registration for the future and blocked the user. Anything else to be aware of?

They are also reporting the Hack and provide additional information and todos:

Hi @Sunchezz89! Thanks for reaching out.

Recently, a GitLab user posted a blog about the exploitation of a known vulnerability which has been previously disclosed and assigned CVE-2020-10977. GitLab EE/CE 8.5 to 12.9 is vulnerable to a path traversal when moving an issue between projects.

This issue was remediated and patched in the 12.9.1 release in March 2020.

Upgrading to the latest security release for your supported version is part of good security hygiene. We strongly recommend that all users confirm they are running the latest version of GitLab to ensure they are up-to-date with current security releases. Users should update immediately if needed.

GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our release updates on our update page and view regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

Keep yours instance safe and updated

You can read more best practices in securing your GitLab instance in our blog post. You can subscribe to receive Security Notices in your inbox, receive security blog updates through our rss feed or follow us on twitter for release updates.

Let me know if this raises any other questions! Thanks!

1 Like