Skip to main content

GitHub says it has fixed major security flaw

Lock
(Image credit: Shutterstock)

A severe GitHub security flaw has finally been fixed more than three months after it was first discovered. 

Back in July, Google’s Project Zero team notified GitHub that its GitHub Actions feature was highly vulnerable to injection attacks. The firm was given 90 days to patch the flaw, plus a 14-day additional grace period, before it was disclosed publicly.

GitHub managed to solve the issue on November 16, however, by disabling two old runner commands. The former version of the “set-env” runner command, for example, was causing issues because its ability to define arbitrary environment variables meant that it could be exploited to launch injection attacks.

“As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable,” Google Project Zero researcher Felix Wilhelm explained. “In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed. I’ve spent some time looking at popular GitHub repositories and almost any project with somewhat complex GitHub actions is vulnerable to this bug class.”

Problem solved for now

The patch is likely to only be a short-term fix as it simply works by depreciating the offending command syntax. A longer-term solution is likely to involve moving workflow commands to an out-of-bound channel, but that will affect dependent code, so might take a while to implement.

Project Zero has now listed the problem as fixed, which leaves nine unresolved security bugs that the team has identified. The outstanding vulnerabilities are affecting software produced by Apple, Qualcomm, Microsoft and Google itself.

Via ZDNet