Login Sign Up

CVE-2019-15741

9.8 CRITICAL

📋 TL;DR

This vulnerability in GitLab Omnibus allows local attackers to escalate privileges through an unsafe interaction with logrotate. Attackers can gain root access by exploiting improper permissions or symlink handling in log rotation processes. Affects GitLab Omnibus installations from version 7.4 through 12.2.1.

💻 Affected Systems

Products:
  • GitLab Omnibus
Versions: 7.4 through 12.2.1
Operating Systems: Linux distributions running GitLab Omnibus
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Omnibus installations (all-in-one packages), not source installations. Requires local access to exploit.

📦 What is this software?

Omnibus by Gitlab

View all CVEs affecting Omnibus →

Omnibus by Gitlab

View all CVEs affecting Omnibus →

Omnibus by Gitlab

View all CVEs affecting Omnibus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of the GitLab server, allowing complete system takeover, data theft, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation to root, enabling attackers to install backdoors, modify configurations, and access sensitive GitLab data.

🟢

If Mitigated

Limited impact with proper access controls, but still poses risk if attackers gain initial low-privilege access.

🌐 Internet-Facing: MEDIUM - Requires initial access to the system, but internet-facing GitLab instances are common targets for initial compromise.
🏢 Internal Only: HIGH - Once an attacker gains any local access, they can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local access but is straightforward to execute. Multiple public exploit scripts and detailed write-ups exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GitLab Omnibus 12.2.3 and later

Vendor Advisory: https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/

Restart Required: Yes

Instructions:

1. Backup your GitLab data. 2. Update GitLab Omnibus to version 12.2.3 or later using 'sudo apt-get update && sudo apt-get install gitlab-ce' (Debian/Ubuntu) or 'sudo yum update gitlab-ce' (RHEL/CentOS). 3. Run 'sudo gitlab-ctl reconfigure'. 4. Restart GitLab services.

🔧 Temporary Workarounds

Manual logrotate configuration hardening

linux

Modify logrotate configurations to use secure permissions and avoid symlink attacks

sudo chmod 640 /etc/logrotate.d/gitlab
sudo chown root:root /etc/logrotate.d/gitlab
sudo chmod 750 /var/log/gitlab

🧯 If You Can't Patch

  • Restrict local user access to GitLab servers to only necessary administrators
  • Implement strict file integrity monitoring on logrotate configurations and GitLab log directories

🔍 How to Verify

Check if Vulnerable:

Check GitLab version with 'sudo gitlab-rake gitlab:env:info | grep Version' and verify if between 7.4 and 12.2.1 inclusive

Check Version:

sudo gitlab-rake gitlab:env:info | grep Version

Verify Fix Applied:

Confirm version is 12.2.3 or later with 'sudo gitlab-rake gitlab:env:info | grep Version'

📡 Detection & Monitoring

Log Indicators:

  • Unusual logrotate activity, permission changes in /var/log/gitlab, unexpected root shell sessions

Network Indicators:

  • Sudden outbound connections from GitLab server after local user login

SIEM Query:

process_name:"logrotate" AND parent_process_name:"gitlab" AND (command_line:"chmod" OR command_line:"chown")

📊 Metadata

CVE ID: CVE-2019-15741
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 16, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON