Google’s Project Zero team has publicly disclosed a high severity flaw in GitHub that could be exploited to launch injection attacks on the popular developer platform.
The search giant’s team of security analysts is well regarded for discovering major vulnerabilities in popular software and earlier this week, it disclosed a Windows 10 zero-day that could allow hackers to seize control of users’ computers.
Back in January, Project Zero changed its disclosure policy to give vendors a full 90 days before disclosing issues in their systems or software. This is why GitHub was given until October 18 to fix its high severity flaw after Google’s researchers discovered it back in July. With the deadline approaching, GitHub deprecated vulnerable commands in October and released a security advisory warning users to update their workflows.
In mid-October, the developer platform then accepted a 14-day grace period from Project Zero knowing that the vulnerability would be publicly disclosed on November 2.
The vulnerability, tracked as CVE-2020-15228, deals with the fact that workflow commands in GitHub Actions are extremely vulnerable to injection attacks. These commands serve as a communication channel between executed actions and the Action Runner on the platform.
Senior information security engineer at Google, Felix Wilhem explained in a Project Zero report that almost all projects with complex Github Actions are vulnerable to injection attacks, saying:
“The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed. I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class.”
Fixing the issue entirely will be quite difficult for Github as the way workflow commands are implemented is “fundamentally insecure”, according to Wilhem. While the command syntax can be deprecated as a short-term solution to the problem, a long-term fix would require workflow commands to be moved to some out-of-bounds channel though this would also break other pieces of dependent code.
Just before the grace period came to an end, GitHub requested an additional 48 hour extension from Project Zero not to patch the issue but to notify additional customers as well as to determine a final date to fix the vulnerability.