Google Project Zero (GPZ) has sent out confirmation of a security bug in Microsoft-owned GitHub. According to the security research team, there is a high-severity vulnerability in the popular open source code-hosting website.
If you are unfamiliar with Google Project Zero, it is a security team that hunts for security holes in popular software solutions. If a vulnerability is found, Google gives developers 90 days to issue a fix. If no action is taken, Project Zero publicly discloses the flaw.
According to the team, GitHub requested another 90-day extension for a bug found in the Actions features. The Project Zero team did not grant the extension and have now gone public with the vulnerability.
Actions was launched back in 2018. It gives developers tools to improve their projects. By leveraging Docker code containers, developers will be able to set a schedule of events. Projects can have event triggers ranging from an introduction of new code to testing channels that trigger Actions.
Missing the Deadline
This flaw is rare for Project Zero because GitHub was unable to issue a fix. According to Google, 95.8% of all vulnerabilities are patched before the 90-day deadline.
In its disclosure notes for the vulnerability, GPZ says GitHub has known of the problem since July 21 and missed an October 18 deadline. The team’s Felix Wilhelm adds the Actions tool commands are “highly vulnerable to injection attacks”.
“As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed,” writes Wilhelm.
“I’ve spent some time looking at popular GitHub repositories and almost any project with somewhat complex GitHub actions is vulnerable to this bug class.”
It is worth noting GitHub has not tried to sweep this problem under the rug. On October 1, the company issued a post detailing the problem (CVE-2020-15228). The company removed vulnerable commands at that point.