---
title: "Gitlab-shell is affected by Bash CVE-2014-6271"
date: 2014-09-24 19:00 CEST
categories: releases
author: Jacob Vosmaer
---

Today a security vulnerability in Bash (CVE-2014-6271) [was
announced](http://www.openwall.com/lists/oss-security/2014/09/24/12) that can
be exploited against the OpenSSH daemon. On GitLab servers where the default
shell of the `git` user is Bash (or Bash masquerading as `sh`) this allows for
remote code execution as the `git` user for attackers who have uploaded their
SSH key to GitLab via the GitLab web interface.

If the attacker does not have an account with an SSH key on your GitLab server
then they cannot exploit Bash CVE-2014-6271 via GitLab.

<!--more-->

_Update 19:09 CEST:_ Added a mailing list link with details about the Bash
vulnerability.

_Update 19:33 CEST:_ Explain that attackers need a GitLab account.

_Update 2014-09-25 9:40 CEST:_ Emphasize that updating Bash is the solution.

_Update 2014-09-25 15:00 CEST:_ Updated for CVE-2014-7169.

## Detection

Asssuming your SSH key is in GitLab, you can test for this vulnerability with
the following command:

```
ssh  git@gitlab.example.com '() { ignored; }; /usr/bin/id'
```

On affected GitLab servers, the output will look like this:

```
uid=1001(git) gid=1001(git) groups=1001(git)
```

If you see `Not allowed command` instead, your GitLab server is not affected by
this vulnerability.

## Updates

To address this vulnerability you need to update Bash to a safe version on your
system.

```
# Debian/Ubuntu http://www.ubuntu.com/usn/usn-2362-1/
sudo apt-get update
sudo apt-get install bash

# Centos https://access.redhat.com/node/1207723
sudo yum update bash
sudo /sbin/ldconfig
```

Note that your [GitLab server may still be affected by Bash
CVE-2014-7169](/blog/2014/09/25/gitlab-shell-and-bash-cve-2014-7169/) until new Bash
packages get released by your OS distribution; consider making sure the `git`
user does not use Bash as described below.

<a name="workarounds"></a>
## Workarounds

If it is not possible to update Bash to a safe version on your GitLab server
you can change the shell of the `git` user to `csh`. Dash, which is installed
on Debian/Ubuntu by default, is also an option. Please note that updating the
shell of the `git` user protects GitLab, but not the rest of your system.

You can check which shell is used by the `git` user as follows:

```
$ ls -l $(getent passwd git | awk -F: '{print $7}')
lrwxrwxrwx 1 root root 4 Sep 24 18:08 /bin/sh -> bash
```

Note that in the example above, the `git` user is at risk because their shell
is Bash.

As a workaround, we can make Csh the default shell for the `git` user.

```
# Debian/Ubuntu
sudo apt-get install csh

# Centos
sudo yum install csh
```

If you are using omnibus-gitlab, add the following line to
`/etc/gitlab/gitlab.rb` and run `sudo gitlab-ctl reconfigure`:

```
user['shell'] = '/bin/csh'
```

If you are using an installation from source you can change the shell for the
git user with the following command:

```
sudo chsh -s /bin/csh git
```

Now test if you are no longer vulnerable with the command listed above under
'Detection'.

If changing the shell of the Git user is not an option for some reason you can
also defend against this vulnerability by adding `git` to the `DenyUsers` in
`/etc/ssh/sshd_config` and restarting SSH. Note that this will disable Git
push/pull access via SSH to your GitLab server.

```
DenyUsers git
```