--- title: "Gitlab-shell is affected by Bash CVE-2014-6271" date: 2014-09-24 19:00 CEST categories: releases author: Jacob Vosmaer --- Today a security vulnerability in Bash (CVE-2014-6271) [was announced](http://www.openwall.com/lists/oss-security/2014/09/24/12) that can be exploited against the OpenSSH daemon. On GitLab servers where the default shell of the `git` user is Bash (or Bash masquerading as `sh`) this allows for remote code execution as the `git` user for attackers who have uploaded their SSH key to GitLab via the GitLab web interface. If the attacker does not have an account with an SSH key on your GitLab server then they cannot exploit Bash CVE-2014-6271 via GitLab. _Update 19:09 CEST:_ Added a mailing list link with details about the Bash vulnerability. _Update 19:33 CEST:_ Explain that attackers need a GitLab account. _Update 2014-09-25 9:40 CEST:_ Emphasize that updating Bash is the solution. _Update 2014-09-25 15:00 CEST:_ Updated for CVE-2014-7169. ## Detection Asssuming your SSH key is in GitLab, you can test for this vulnerability with the following command: ``` ssh git@gitlab.example.com '() { ignored; }; /usr/bin/id' ``` On affected GitLab servers, the output will look like this: ``` uid=1001(git) gid=1001(git) groups=1001(git) ``` If you see `Not allowed command` instead, your GitLab server is not affected by this vulnerability. ## Updates To address this vulnerability you need to update Bash to a safe version on your system. ``` # Debian/Ubuntu http://www.ubuntu.com/usn/usn-2362-1/ sudo apt-get update sudo apt-get install bash # Centos https://access.redhat.com/node/1207723 sudo yum update bash sudo /sbin/ldconfig ``` Note that your [GitLab server may still be affected by Bash CVE-2014-7169](/blog/2014/09/25/gitlab-shell-and-bash-cve-2014-7169/) until new Bash packages get released by your OS distribution; consider making sure the `git` user does not use Bash as described below. ## Workarounds If it is not possible to update Bash to a safe version on your GitLab server you can change the shell of the `git` user to `csh`. Dash, which is installed on Debian/Ubuntu by default, is also an option. Please note that updating the shell of the `git` user protects GitLab, but not the rest of your system. You can check which shell is used by the `git` user as follows: ``` $ ls -l $(getent passwd git | awk -F: '{print $7}') lrwxrwxrwx 1 root root 4 Sep 24 18:08 /bin/sh -> bash ``` Note that in the example above, the `git` user is at risk because their shell is Bash. As a workaround, we can make Csh the default shell for the `git` user. ``` # Debian/Ubuntu sudo apt-get install csh # Centos sudo yum install csh ``` If you are using omnibus-gitlab, add the following line to `/etc/gitlab/gitlab.rb` and run `sudo gitlab-ctl reconfigure`: ``` user['shell'] = '/bin/csh' ``` If you are using an installation from source you can change the shell for the git user with the following command: ``` sudo chsh -s /bin/csh git ``` Now test if you are no longer vulnerable with the command listed above under 'Detection'. If changing the shell of the Git user is not an option for some reason you can also defend against this vulnerability by adding `git` to the `DenyUsers` in `/etc/ssh/sshd_config` and restarting SSH. Note that this will disable Git push/pull access via SSH to your GitLab server. ``` DenyUsers git ```