Google's Project Zero reveals details of 'high severity' security flaw with Microsoft's GitHub

Security issues are frequently exposed by Google's Project Zero; just days ago, security researchers revealed details of an actively exploited Windows Kernel Cryptography Driver security flaw.

Now Project Zero has released details of a serious security flaw in another Microsoft venture -- GitHub. The bug relates to GitHub Actions' workflow commands and is described as being high severity. It was discovered back in July but, as per the standard 90-day disclosure period, details are only just now being made public.

See also:

• How to get the Windows 7 Start menu in Windows 10
• Install KB4580364 update to fix Windows 10 problems and gain the new Meet Now taskbar button
• Google shares details of a Windows Kernel Cryptography Driver security flaw that's being exploited by hackers

Going into some detail on the Project Zero site, the security researcher who discovered the flaw -- Felix Wilhelm -- explains: "Github Actions supports a feature called workflow commands (https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions) as a communication channel between the Action runner and the executed action. Workflow commands are implemented in runner/src/Runner.Worker/ActionCommandManager.cs (https://github.com/actions/runner/blob/0921af735a3c8fb6cf22ddc8a868b742816e24cf/src/Runner.Worker/ActionCommandManager.cs)  and work by parsing STDOUT of all executed actions looking for one of two command markers".

He goes on to explain:

V2 commands have to start at the beginning of a line and look like this "::workflow-command parameter1={data},parameter2={data}::{command value}". V1 commands can also start in the middle of a line and have the following syntax: "##[command parameter1=data;]command-value". The current version of the Github action runner supports a small number of different commands but the most interesting one from a security perspective is "set-env". As the name suggests, "set-env" can be used to define arbitrary environment variables as part of a workflow step. A simple example (in V1 syntax) would be ##[set-env name=VERSION;]alpha, which puts VERSION=alpha in the environment of all succeeding steps in a workflow.

The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.

Addressing the problem is not going to be simple as it would require a complete rethinking of how the workflow command works. However, Microsoft has published an advisory which tells users how to update workflows.

Image credit: Piotr Swat / Shutterstock