GitHub says it has fixed major security flaw

(Image credit: Shutterstock)
Audio player loading…

A severe GitHub (opens in new tab) security flaw has finally been fixed more than three months after it was first discovered. 

Back in July, Google’s Project Zero team notified GitHub that its GitHub Actions feature was highly vulnerable to injection attacks. The firm was given 90 days to patch the flaw, plus a 14-day additional grace period, before it was disclosed publicly.

GitHub managed to solve the issue on November 16, however, by disabling two old runner commands (opens in new tab). The former version of the “set-env” runner command, for example, was causing issues because its ability to define arbitrary environment variables meant that it could be exploited to launch injection attacks.

“As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable,” Google Project Zero researcher Felix Wilhelm explained (opens in new tab). “In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed. I’ve spent some time looking at popular GitHub repositories and almost any project with somewhat complex GitHub actions is vulnerable to this bug class.”

Problem solved for now

The patch is likely to only be a short-term fix as it simply works by depreciating the offending command syntax. A longer-term solution is likely to involve moving workflow commands to an out-of-bound channel, but that will affect dependent code, so might take a while to implement.

Project Zero has now listed the problem as fixed, which leaves nine (opens in new tab) unresolved security bugs that the team has identified. The outstanding vulnerabilities are affecting software produced by Apple, Qualcomm, Microsoft and Google itself.

Via ZDNet (opens in new tab)

Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.