Warning: GitHub Reportedly Has 'High-Severity' Vulnerability According to Google Researchers

Urian B., Tech Times 06 November 2020, 06:11 am

Google's recent Project Zero team or the GPZ recently disclosed a particular high-severity vulnerability they have found in GitHub's own Action runner feature which could potentially allow hackers to remotely execute certain code on the affected systems. The bug was previously discovered by Google Project Zero's very own Felix Wilhelm back on July 21.

Why is the bug highly-vulnerable to attacks?

According to Wilhelm, the said flaw deals with the very fact that the actions' workflow are, in his own words, "highly vulnerable to injection attacks." It was stated that these workflow commands actually act as a sort of communication channel between both the Action runner as well as the executed action.

According to Wilhelm's explanation in a report to Project Zero, the big problem with regards to this feature is the fact that it is actually highly vulnerable to injection attacks. It was stated that as the whole runner process parses every single line that was printed to the STDOUT looking for its workflow commands, every little GitHub action that supposedly prints untreated content considered part of its execution is deemed vulnerable.

GitHub was given a grace period to fix this vulnerability

It was stated that in most cases, the main ability to be able to set certain arbitrary environment variables now results in a much more remote code execution just as soon as another particular workflow is executed. Wilhelm then explained that he has spent quite a chunk of time looking at the popular GitHub repositories and found that almost any project along with somewhat complex GitHub is indeed vulnerable to this bug class.

Following the bug's discovery on July 21, Google's own research team decided to contact GitHub with the given information regarding the vulnerability of its known platform. The research team then proceeded to give GitHub a concrete 90-day deadline under the whole revised policy (which then expired on October 18) in order to fix the issue before it would come out to the public after the 90 days.

GitHub has finally announced the vulnerability to the public

As a response to the deadline, GitHub has then issued a sort of security advisory on its official page back on October 1 and even deprecated the whole vulnerable commands, add-path, and set-env. It has also posted a particular description of the said issue and argued that what GPZ had found was actually just a "moderate security vulnerability." GitHub then assigned the known bug the new tracking identifier CVE-2020-15228. This advisory then urged users to immediately update their own workflows.

Back on October 12, GPZ then contacted GitHub and offered a 14-day grace period before the disclosure for them to be able to fully disable the said commands. The developer platform then accepted this offer since the bug was scheduled to be publicly disclosed come November 2. However, just a day before the whole grace period ended, GitHub then requested for another 48 hour extension for them to notify their customers of the fix as well as a future date.