A security reliability engineer at Google Cloud has revealed that malicious users have exploited a security flaw known as CVE-2021-22205 to launch a huge amount of denial of service (DDoS) attacks.
The vulnerability was discovered by William Bowling and a fix was released in April 2021. It affected ExifTool, which was used to remove metadata from images uploaded onto servers, and Bowling reported (https://bit.ly/lxf284bug) that he found a way to exploit the way ExifTool handles .djvu and .djv file uploads and gain control over the entire GitLab web server. Italian security firm HN Security then found that attacks exploiting the CVE-2021-22205 in June, after randomly named users were being added to GitLab servers, which were likely created by malicious users to gain control over compromised servers.
Damian Menscher from Google, then tweeted (https://bit.ly/lxf284tweet) that “A botnet of thousands of compromised #GitLab instances (exploited via CVE-2021-22205) is generating DDoS attacks in excess of 1 Tbps.” While the patch for this vulnerability was released in April, a report by Rapid7 (https://bit.ly/lxf284rapid7) revealed that around half of all self-hosted GitLab servers – about 30,000 – remain unpatched.
Although the proof-of-concept code for this vulnerability appeared in June, attackers are exploiting many companies’ slowness to patch their software. While it can be avoided by blocking .djvu and .djv uploads, better advice comes from Menscher: “Please patch your servers!”