{"id":40046,"date":"2024-09-22T12:08:32","date_gmt":"2024-09-22T16:08:32","guid":{"rendered":"https:\/\/netfoundry.io\/?p=40046"},"modified":"2025-11-15T14:38:23","modified_gmt":"2025-11-15T19:38:23","slug":"gitlab-cve-2024-45409-critical-saml-authentication-bypass-flaw","status":"publish","type":"post","link":"https:\/\/netfoundry.io\/cve\/gitlab-cve-2024-45409-critical-saml-authentication-bypass-flaw\/","title":{"rendered":"GitLab CVE-2024-45409: Critical SAML Authentication Bypass Flaw"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

GitLab Security Is Not The Problem \u2013 The Network Model Is<\/h2>\n\n

Businesses who use NetFoundry\u2019s Ziti platform to secure\u00a0GitLab<\/a>\u00a0can be on the beach with a cocktail if they feel like it. Because GitLab\u00a0CVE-2024-45409<\/a>\u00a0is a non-event to\u00a0NetFoundry<\/a>\u00a0customers, despite being severity score 10.0 for the rest of the world.<\/p>\n\n

Sure, at some point these NetFoundry-protected businesses should\u00a0patch their\u00a0<\/a>self-hosted GitLab<\/a>\u00a0instances (GitLab patched their cloud-hosted version). But in the meantime, the attackers can\u2019t exploit the bug. By design. Enjoy the sunset, work on your more important opportunities or problems, and then patch your GitLab.<\/p>\n\n

\u00a0<\/div>\n\n

Why GitLab CVE-2024-45409 is a Non-Event for NetFoundry Customers<\/strong><\/h3>\n\n

TL;DR: NetFoundry\u2019s solution means an attacker can only reach the GitLab server if the attacker either:<\/p>\n\n

    \n
  1. Walks into the right data center and consoles into the right server.<\/li>\n\n
  2. Gains physical control of an authorized GitLab user and their device.<\/li>\n<\/ol>\n\n

    Do you remember the last major breach caused by one of those factors? The GitLab CVE is a snoozer for NetFoundry customers because attackers can\u2019t exploit the bug from the networks \u2013 with NetFoundry\u2019s solution, the GitLab server is not reachable from the underlay network.<\/p>\n\n

    When you log in to your bank application on your mobile phone via facial or fingerprint recognition, modern cryptography secures your connection and it is mainly invisible to you as an end user. That\u2019s what NetFoundry has done with our reinvention of networking. Simultaneously strengthened security, while getting it out of the way of users and administrators. Bugs like GitLab CVE-2024-45409 a non-event for the businesses who use NetFoundry to secure their self-hosted GitLab, but the NetFoundry reinvention of networking means that user and administrator experience is not compromised on the process.<\/p>\n\n

    The same solution secures all your self-hosted software, including all of its APIs, webhooks, pipelines and server-to-server workloads. But let\u2019s use GitLab as an example since they are in the news for the wrong reasons.<\/p>\n\n

    \u00a0<\/div>\n\n

    We Need Resiliency \u2013 To Flip Networks From Aiding Attacks To Preventing Them<\/strong><\/h3>\n\n

    To get to GitLab and exploit a bug, you need two things:<\/p>\n\n

      \n
    1. Network access<\/li>\n\n
    2. GitLab access<\/li>\n<\/ol>\n\n

      Let\u2019s start with GitLab. GitLab itself has stronger security. You\u2019ll need to identify, authenticate, and authorize. Most of the time this is fine. But sometimes a bug arises \u2013 this is more of a \u2018when\u2019 than an \u2018if\u2019. CVE-2024-45409 is one of those times.<\/p>\n\n

      So this is where the other security layer enters \u2013 the network. In a resilient, multi-layer security solution, the network would not let attackers get to GitLab to exploit its bug. But today\u2019s network model is inherently insecure \u2013 as we saw with GitLab, the attackers are able to get to the GitLab server.<\/p>\n\n

      It is tempting to say the bug is the root cause. It isn\u2019t. The bug is a proximate cause or a symptom of a bigger problem. Our jobs are to design enough resiliency to make those bugs as\u00a0un<\/em>impactful as possible, because they are inevitable.<\/p>\n\n

      \u00a0<\/div>\n\n

      Why We Need More Than GitLab Security<\/strong><\/h3>\n\n

      So what is the root cause? There is no resiliency. The root cause is the network itself is default insecure, and has no mechanism to fully identify, authenticate and authorize your session. Think of GitLab as the flight gate at the airport. Before you can get to the gate, you need to pass airport security to get into the terminal. For GitLab, and all networked applications, the equivalent of airport security is the network. But the network does not have strong security \u2013 you can stroll up to the GitLab \u2018flight gate\u2019 and walk right in if there is a bug. We don\u2019t have resiliency\u2014all eggs are in the GitLab security basket. Crazy? Only kind of.<\/p>\n\n

      It is not\u00a0that<\/em>\u00a0crazy because network security is an oxymoron. Bolt-ons like VPNs, ZTNA, SASE, IdPs, and SD-WANs are expensive and complex. They block business velocity, agility, and extensibility. And they often aren\u2019t very secure because they are bolted on top of inherently insecure TCP\/IP networks. They are not much better than public Internet because the firewall in front of GitLab still needs to let certain ports, IPs, and VPN endpoints enter, and that is where the problem is. In short,\u00a0VPN and ZTNA solutions fall short.<\/a><\/p>\n\n

      \u00a0<\/div>\n\n

      The Reinvention of Network Security<\/strong><\/h3>\n\n

      But what if we had a better way? Network security which actually improves velocity. A networking model which adds resiliency and prevents exploitations of bugs such as GitLab CVE-2024-45409, and the invariable scramble to patch it while you race against the entire Internet who can now exploit it. You\u2019d need to invent a new networking model.<\/p>\n\n

      So that is what we did at NetFoundry. And we cheated. Network security is an oxymoron if you are bolting on top of an inherently insecure network. So, we reinvented the entire network model as software, with the security built-in. Rather than build yet another network security solution, we invented a secure network model. The network is now secure-by-design software. Let\u2019s unpack that:<\/p>\n\n