Google to GitHub: Time’s up – this unfixed ‘high-severity’ security bug affects developers
Google Project Zero, the Google security team that finds bugs in all popular software, has disclosed what it classes a high-severity flaw on GitHub after the code-hosting site asked for a double extension on the normal 90-day disclosure deadline.
The bug in GitHub’s Actions feature – a developer workflow automation tool – has become one of the rare vulnerabilities that wasn’t properly fixed before Google Project Zero’s (GPZ) standard 90-day deadline expired. Over 95.8% of flaws are fixed within the deadline, according to Google’s hackers.
GPZ is known to be generally strict with its 90-day deadline, but it appears GitHub was a little lax in its responses as the deadline approached after Google gave it every chance to fix the bug.
As detailed in a disclosure timeline by GPZ’s Felix Wilhelm, the Google security team reported the issue to GitHub’s security on July 21 and a disclosure date was set for October 18.
According to Wilhelm, Actions’ workflow commands are “highly vulnerable to injection attacks”.
“As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed,” wrote Wilhelm.
“I’ve spent some time looking at popular GitHub repositories and almost any project with somewhat complex GitHub actions is vulnerable to this bug class.”
GitHub issued an advisory on October 1 and deprecated the vulnerable commands, but argued that what Wilhelm had found was in fact a “moderate security vulnerability”. GitHub assigned the bug the tracking identifier CVE-2020-15228.
On October 12, GPZ contacted GitHub and proactively offered it a 14-day grace period if GitHub wanted more time to disable the vulnerable commands, according to Wilhelm.
GitHub then took up the offer of a grace period, and per Wilhelm, it hoped to disable the vulnerable commands after October 19. GPZ then set the new disclosure date to November 2.
Then on October 28, GPZ alerted GitHub that the deadline was expiring the following week but got no response.
Due to lack of official response from GitHub, Project Zero contacted informal GitHub contacts who said “the issue is considered fixed and that [GPZ] are clear to go public on 2020-11-02 as planned”, explained Wilhelm.
But then a day before deadline, GitHub gave its official response and requested a further two days to notify customers of a fix at a future date.
“GitHub responds and mentions that they won’t be disabling the vulnerable commands by 2020-11-02. They request an additional 48 hours, not to fix the issue, but to notify customers and determine a ‘hard date’ at some point in the future,” wrote Wilhelm.
So GPZ on Monday proceeded to disclose the bug it reported because it can’t, as per its policy, offer an extension beyond the 104 days – 90 days plus 14 days’ grace.