A specific high-severity vulnerability has recently been disclosed by Google’s latest Project Zero team or the GPZ in GitHub’s own Action runner feature that could theoretically allow hackers to execute such code on the affected systems remotely. The bug was previously noticed back on July 21 by Google Project Zero’s very own Felix Wilhelm.
Wilhelm said in an online post on Tuesday that he uncovered the flaw through source code analysis and discovered that it affects the workflow commands of GitHub Behavior.
In GitHub, workflow commands are used to provide a contact channel between the actions executed and the Action Runner. Wilhelm said that the workingflow commands of GitHub Operation are susceptible to injection attacks.
“As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable,” he said.“In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.”
It has been reported that in most instances, as soon as another unique workflow is executed, the primary ability to set such arbitrary environment variables now results in a much more distant code execution.
Wilhelm then clarified that he spent quite a bit of time looking at the famous GitHub repositories and noticed that this bug class is indeed vulnerable to almost every project along with somewhat complicated GitHub.
Following the discovery of the bug on July 21, Google’s own research team decided to contact GitHub with the details provided about its known platform’s vulnerability.
Under the entire updated strategy (which then expired on October 18), the research team then continued to send GitHub a concrete 90-day deadline to address the problem before it came out to the public after 90 days.
But then, one day before the deadline, GitHub gave its official reply and asked for an additional two days to inform customers of a patch at a future date.
So on Monday, GPZ continued to announce the bug it identified because it can not give an extension beyond 104 days-90 days plus 14 days’ grace, as per its policy.
“GitHub responds and mentions that they won’t be disabling the vulnerable commands by 2020-11-02. They request an additional 48 hours, not to fix the issue, but to notify customers and determine a ‘hard date’ at some point in the future,” wrote Wilhelm.