Google researchers disclose high-severity vulnerability affecting GitHub

2020-11-04

Google's Project Zero researchers have disclosed a high-severity vulnerability in GitHub, which, they say, could allow attackers to remotely execute code on affected systems.

The bug was discovered by Project Zero's Felix Wilhelm in July. The research team then notified GitHub about the flaw in their platform, giving them a 90-day deadline (which expired on 18th October) to address the issue.

In an on Tuesday, Wilhelm said that he uncovered the flaw via source code review and found that it impacts GitHub Actions' workflow commands.

Workflow commands in GitHub are used to provide a communication channel between executed actions and the Action Runner.

Wilhelm said that GitHub Action's workflow commands are vulnerable to injection attacks.

"As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable," he said.

"In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed."

Wilhelm said that workflow commands in GitHub Action are implemented in a "fundamentally insecure" way, so addressing the flaw could be a difficult process.

Deprecating the command syntax could provide a short-term solution, according to Wilhelm, while fixing the flaw permanently would require moving workflow commands to some out-of-bound channel (which would also impact other pieces of dependent code).

In an advisory issued last month, GitHub informed users that some vulnerable commands were being deprecated due to a "moderate security vulnerability" in the platform. The advisory urged users to update their workflows.

"A moderate security vulnerability has been identified in the GitHub Actions runner that can allow environment variable and path injection in workflows that log untrusted data to STDOUT," the .

"This can result in environment variables being introduced or modified without the intention of the workflow author."

"To address this issue we have introduced a new set of files to manage environment and path updates in workflows. If you are using self-hosted runners make sure they are updated to version 2.273.1 or greater."

On 16th October, Google gave GitHub a 14-day grace period to fully disable the commands.

On 2nd November, Google disclosed the details of the flaw in the public domain, along with proof-of-concept (PoC) code to show how the bug can be exploited.

The disclosure of GitHub vulnerability from Project Zero team comes days after the team revealed details of a that, they said, is being actively exploited by hackers to run malicious programmes on Windows machines.

The Project Zero team has a history of disclosing critical vulnerabilities in prominent software products, including Windows 10, iOS and macOS kernel, among others.

Earlier this year, the team announced in order to give vendors more time to create "thorough" patches for security flaws uncovered in their applications.

The team said that under the revised policy, it will wait for at least 90 days before publicly revealing the details of a security bug, even if the bug is fixed ahead of that deadline.

Now, vendors can also request an additional 14-day grace period from Google if they believe they won't be able to fix the reported vulnerability within 90 days.