Remote Command Execution in git client (CVE-2017-12426)

2017-08-11T00:00:00
ID SSV:96341
Type seebug
Reporter Root
Modified 2017-08-11T00:00:00

Description

Remote Command Execution in git client (CVE-2017-12426)

An external code review performed by Recurity-Labs identified a remote command execution vulnerability in git that could be exploited via the "Repo by URL" import option in GitLab. The command line git client was not properly escaping command line arguments in URLs using the SSH protocol before invoking the SSH client. A specially crafted URL could be used to execute arbitrary shell commands on the GitLab server.

To fully patch this vulnerability two fixes were needed. The Omnibus versions of GitLab contain a patched git client. For source users who may still be running an older version of git, GitLab now also blocks import URLs containing invalid host and usernames. 35212

This issue has been assigned CVE-2017-12426.

Thanks to Joern Schneeweisz and Recurity-Labs for discovering this vulnerability, providing immediate notification, and helping us coordinate a release across several projects.

Versions affected

  • 7.9.0 through 8.17.7
  • 9.0.0 through 9.0.12
  • 9.1.0 through 9.1.9
  • 9.2.0 through 9.2.9
  • 9.3.0 through 9.3.9
  • 9.4.0 through 9.4.3

We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible.

Workarounds

If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.

Note: Disabling the "Repo by URL" import option does not fully mitigate this vulnerability as existing projects will still be able to change their import URLs.

Removing support for SSH URLs

GitLab CE+EE instances that cannot be patched immediately can disable support for SSH URLs in project imports and mirrors by editing the GitLab source code and removing ssh from the list of valid protocols.

For source users edit: /app/validators/addressable_url_validator.rb.

For Omnibus users edit: /opt/gitlab/embedded/service/gitlab-rails/app/validators/addressable_url_validator.rb.

Change: DEFAULT_OPTIONS = { protocols: %w(http https ssh git) }.freeze To: DEFAULT_OPTIONS = { protocols: %w(http https git) }.freeze Then restart GitLab.

For Omnibus users: gitlab-ctl restart.

Verifying the workaround

  1. Choose to create a new project
  2. Choose "Import by URL".
  3. Specify a URL such as ssh://gitlab.com/foo.git.
  4. Verify that GitLab returns an invalid URL error.

Be certain that you do not revert this patch until you have installed an updated version of git.