The Google Project Zero team is known to have discovered vulnerabilities and bugs in Google’s own software. Although he is best known for exposing security holes in other companies. Their methodology is to identify security vulnerabilities in software and report them privately to vendors, giving them 90 days to fix them before they are publicly disclosed.
Depending on the complexity of the required correction, it sometimes also offers additional days in the form of a grace period. In specific scenarios, companies may even have less than 90 days to resolve issues before Google announces them publicly.
GitHub will need to resolve a serious security issue
Over the past two years, the team has revealed significant vulnerabilities in Windows, Windows 10 S, the macOS kernel, and iOS, among others. A few days ago the security team revealed an exploit present in different versions of Windows, and today they revealed a security vulnerability on GitHub.
The vulnerability has been classified as “high severity” by Google Project Zero. We’ll record the technical details for you, but you can read them here if you want. But the problem is with the GitHub actions workflow commands. These are extremely vulnerable to injection attacks. For those who don’t know, workflow commands act as a communication channel between the executed actions and the action executor. Felix Wilhelm, who discovered the security vulnerability while examining the source code, says that:
The big problem with this feature is that it is very vulnerable to injection attacks. Like him
the process scans all lines printed in STDOUT for workflow orders. Every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, being able to set arbitrary environment variables results in remote code execution whenever another workflow is running.
In his original post, Wilhelm went on to say that he didn’t know how to fix the problem. The way that workflow commands are implemented is “fundamentally insecure”. A short-term solution would be to stop using command syntax. A long-term solution would involve moving the workflow controls to an off-link channel. But it would also break other parts of the dependent code.
Partial solution and bad result
Following the discovery of the security issue on July 21, the Project Zero team naturally contacted GitHub. Report the vulnerability, giving them 90 days to resolve it, which would expire on October 18. Earlier this month, GitHub decided to stop using vulnerable commands. Sent a “moderate security vulnerability” advisory, asking users to update their workflows. On October 16, GitHub accepted Google’s 14-day grace period to completely deactivate orders, making November 2 the new deadline.
On November 1, GitHub asked the Project Zero team to allocate an additional 48 hours. However, this additional grace period was not intended to correct the problem. This involved warning customers and determining a “hard date” to fix the vulnerability. As this does not follow the standard Project Zero disclosure process, the issue was made public by the security team with proof of concept code also available.