When a user adds a custom domain to their Pages site, no validation was being performed to ensure the domain was owned by that user. This issue allows an attacker to discover DNS records already pointing to the GitLab Page IP address which haven’t been claimed and potentially hijack them. This issue impacts all users who have created and then deleted custom domains using GitLab Pages, but still have the DNS records active.
Customer Remediation Steps
Our customers should check if they are using the GitLab Pages service with a custom domain and review their DNS records which point to the GitLab Pages IP
If you notice any of your DNS records pointing to that IP address and you’re no longer using or intending to use the Gitlab Pages service, please remove those specific DNS records.
If you are intending to use the GitLab Pages service and notice that your custom domain has already been claimed or “hijacked”, please contact us at firstname.lastname@example.org.
GitLab Remediation Strategy
We’ve currently disabled the feature to add custom domains until we’ve deployed the patch. In the meantime, the GitLab team is working to provide a more complete validation of custom domains in the GitLab Pages service as soon as possible.
Our mitigation strategy will consist of implementing domain verification mechanisms on all new and existing GitLab Pages domains, utilizing checks on customer DNS TXT records. This mechanism will be detailed in GitLab Pages documentation when implemented.
There will be a transition plan for current customers once the domain verification mechanisms are active. Stay tuned for further details.
Gitlab is an opensource software that can be installed into Cloud Server Linux. Contact us to find out our latest offers!