beebright - stock.adobe.com
A botnet of "thousands of compromised GitLab instances" is reportedly launching powerful DDoS attacks through a known vulnerability that patched months ago, according to a Google security engineer.
Damian Menscher, a security reliability engineer at Google who is responsible for DDoS defense at the tech giant, tweeted Wednesday night about the GitLab DDoS attacks. He said the attacks were more than 1 Tbps, which was extremely high for botnet activity.
Previously-reported Tbps-scale attacks (including the 2.54 Tbps attack we saw in 2017) all used UDP amplification to achieve high volumes. Botnet attacks have not previously been reported at this scale.— Damian Menscher (@menscher) November 4, 2021
Menscher said the GitLab instances were exploited through CVE-2021-22205, a critical-severity remote code execution vulnerability that the code repository vendor patched in April on current versions of GitLab. The vulnerability results from GitLab not properly validating image files by a third-party file parser.
GitLab versions 13.10.3, 13.9.6 and 13.8.8 are protected; GitLab 11.9.x-13.8.7, 13.9.0-13.9.5 and 13.10.0-13.10.2 are vulnerable.
Rapid7 published new research related to the vulnerability Monday, two days before Menscher's tweets, that included an analysis of 60,000 internet-facing instances of GitLab. According to the blog post, just 21% of instances were fully patched against the bug, 50% were unpatched and 29% were undetermined. Rapid7 also shared an Oct. 25 post from Italian consultancy Humanativa detailing recent CVE-2021-22205 exploitation it discovered.
In a statement with SearchSecurity, GitLab vice president of security Johnathan Hunt said his company is aware of the DDoS attacks.
"Self-managed customers running an outdated version of GitLab were notified and urged to upgrade to a non-vulnerable version immediately," Hunt said. "Additionally, we have communicated recommended instructions on how to upgrade and determine potential impact. Our security team is continuing to monitor the situation and help ensure GitLab user accounts are protected."
Alexander Culafi is a writer, journalist and podcaster based in Boston.