Google’s Project Zero has struck again, releasing details of an unpatched vulnerability in Microsoft software.
The company has today released information of a “high severity” exploit in GitHub which would allow remote code execution.
The flaw, in workflow commands, which act as a communication channel between executed actions and the Action Runner, is described as such by Felix Wilhelm, who discovered the issue:
The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.
I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class.
The problem seems to be fundamental to how workflow commands works, making it very difficult to fix. GitHub’s advisory notes:
`add-path` and `set-env` Runner commands are processed via stdout
The @actions/core npm module addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author.
The runner will release an update that disables the set-env and add-path workflow commands in the near future. For now, users should upgrade to @actions/core v1.2.6 or later, and replace any instance of the set-env or add-path commands in their workflows with the new Environment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.
None, it is strongly suggested that you upgrade as soon as possible.
Google discovered the flaw on the 21st of July, giving Microsoft 90 days to patch it. GitHub deprecated vulnerable commands and sent out an advisory about a “moderate security vulnerability”, asking users to update their workflows. They also asked Google for a 14-day disclosure delay which Google accepted, moving the disclosure date to the 2nd November 2020. Microsoft asked for a further delay of 48 hours, which Google declined, leading to the disclosure yesterday.
The full details of the exploit can be found at Chromium.org here.