Security
sysops

,”name_id”: “xxx”,”name_id_format”: “xxx”,”name_id_spnamequalifier”: null,”name_id_namequalifier”: null,”destination”: “xxx”,”audiences”: [“xxx”],”attributes”: {“first_name”: [“xxx”],”last_name”: [“yyy”], “email”: [“zzz”]}}

Detecting Exploitation Attempts
For self managed customers forwarding GitLab application_json logs to a SIEM, creating detections to detect Ruby-SAML (CVE-2024-45409) exploitation attempts is possible. Our team is sharing two threat detections rules, written in Sigma format, to detect potential exploitation.
Note: These detections may need to be tuned and modified to customer environments in order to deliver effective results, and due to varying configurations of different customer environments, customers should validate the legitimacy and accuracy of any events identified by these detections.
Users with more than 1 unique extern_uid over time
This detection is designed to identify an authenticated SAML user with more than one extern_uid values linked to authentication events, a potential indication of malicious authentications with an attacker set extern_uid field.
title: Multiple extern_ids
description: Detects when their are multiple extern_id’s associated with a user.
author: Gitlab Security Engineering
date: 09/15/2024
schedule: “*/10 * * * *”
pseudocode: |
select log source application.log
where 7d < event_time < now() where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml" regex(message, "saving user (?S+) .*extern_uid S+ (?[S]+)") count extern_id by user_email as total_extern_ids where total_extern_ids > 1
verify: Review Gitlab application logs for the source IP of the SAML authentications. If there is a singular IP for all extern_ids this could point to a false positive. Cross reference the SAML authentication source IP/s with the known user’s IP from sso authentication logs.
tuning: N/A

GitLab SAML authentication from a different IP address than other iDP events for the same user over time
This detection is designed to correlate authentication events, grouped by user, against both GitLab SAML authentication events as well as other iDP authentication events in an effort to identify any change in user IP address, which could be an indication of attacker authentication sessions.
title: Gitlab SAML IP differs from SSO IP
description: Detects when the source IP for the SAML authentication to Gitlab from application.log differs from the users known IP from SSO MFA logs.
author: Gitlab Security Engineering
date: 09/15/2024
schedule: “*/10 * * * *”
pseudocode: |
select log source application.log
where severity=”INFO” and meta_caller_id=”Groups::OmniauthCallbacksController#group_saml”
regex(message, “saving user (?S+) “)
#Create sub-query to bring in table from SSO authentication data
select meta_remote_ip, user_email
where user_email in
(
select log source authentication
where 1d < event_time < now() where event_type="user.authentication.auth_via_mfa" group by user_email, sso_source_ip ) where sso_source_ip!=meta_remote_ip verify: False positives can arise when the user is traveling. Review SSO authentication logs to see if the geo-location is similar to the SAML authentication to Gitlab. If any discrepancies are found, reach out to the user for verification. If the user is not traveling, temporarily lock the user's Gitlab account and review their activity through Gitlab's application logs. tuning: If the query is producing high false positives, consider using geolocation functions on IPs to compare the cities and countries that are generating the authentications. Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Patch Notifications To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases. We’re combining patch and security releases This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here. GitLab Critical Patch Release: 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, 16.0.10 via @gitlab Click to tweet!"]

Related Posts

= r.Method data[“url”] = r.URL.String() data[“remote_addr”] = r.RemoteAddr response, err := json.MarshalIndent(data, “”, ” “) if err != nil {…

Security releases are an important part of modern software delivery. Historically, GitLab committed to one security release a month, with…

GitLab is the most comprehensive AI-powered DevSecOps platform, enabling organizations to deliver more secure software faster with one platform for…