In a concerning development, federal government officials have issued a warning about an active exploitation of a maximum-severity vulnerability in GitLab, which enables hackers to hijack user accounts without any user interaction. Data reveals that thousands of users have yet to install a patch that was released in January to address this critical issue.

The vulnerability stems from a change implemented by GitLab in May 2023, allowing users to initiate password changes through links sent to secondary email addresses. This change was meant to facilitate password resets when users were unable to access the email address associated with their GitLab account. However, it was discovered that this feature could be manipulated by attackers to send reset emails to accounts they controlled, enabling them to take over the targeted accounts.

It is important to note that these hijackings only work against accounts that do not have multifactor authentication (MFA) configured. Even with MFA, the vulnerability still leaves accounts susceptible to password resets. However, the attackers are unable to access the account, giving the rightful owner an opportunity to change the reset password.

The severity rating of this vulnerability, known as CVE-2023-7028, is at the maximum level of 10 out of 10. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that there is evidence of active exploitation and has added the vulnerability to its list of known exploited vulnerabilities. However, no specific details about the ongoing attacks have been provided by CISA or GitLab representatives.

The improper access control flaw, which is the classification of this vulnerability, presents a potential grave threat. GitLab software typically has access to multiple development environments belonging to users. Exploiting this vulnerability allows attackers to surreptitiously introduce changes, potentially sabotaging projects or implanting backdoors that could infect anyone using software built in the compromised environment.

The serious implications of this vulnerability are exemplified by previous supply-chain attacks, such as the SolarWinds incident in 2021, which affected over 18,000 customers. These attacks demonstrate the power of targeting a single entity to gain access to numerous downstream users, often without requiring any action from the affected users themselves.

A scan conducted by the security organization Shadowserver has revealed that over 2,100 IP addresses are currently hosting one or more vulnerable GitLab instances. It is worth noting that this number has gradually decreased since the patch release in January, as there were over 5,300 vulnerable addresses just one week after the patch was issued.

In response to the active exploitation, the U.S. CISA has ordered all civilian federal agencies that have not yet patched the vulnerability to do so immediately. While the agency did not mention MFA, GitLab users are strongly advised to enable it, preferably using a method that complies with the FIDO industry standard.

It is important for GitLab users to understand that patching alone does not secure systems that have already been breached through this vulnerability. GitLab has provided incident response guidance for affected users to mitigate any potential damage.

As the threat of account hijacking through this maximum-severity GitLab flaw continues to loom, it is crucial for all users to take swift action to safeguard their accounts and mitigate the risk of supply-chain attacks.