December 5, 2020

Google announced an un-fix vulnerability in Github

2 min read

Recently, Google’s Project Zero only announced the Windows 10 zero-day security vulnerabilities. Although Microsoft has not repaired this security, the flaw relevant details have been disclosed.

Once again, Google is now revealing new vulnerabilities. The vulnerabilities announced this time are found in Github, Microsoft’s code hosting platform.

According to information released by Google, if an attacker exploits this vulnerability, he can perform injection attacks. The vulnerability is highly harmful but difficult to repair and cannot be repaired in time.

For this reason, within the 90-day retention period, Microsoft asked Google to delay the disclosure by 14 days. After this delay, the actual retention time was 104 days and the deadline was November 2.

Github Rails 6.0

Despite the pressure of Google, Microsoft still failed to complete the repair on time, so Microsoft once again found Google and hoped to postpone the disclosure for another two days.

This time, Microsoft’s application was rejected by Google, so the vulnerability has been announced, but Github has not yet completed the repair, so a large number of projects are threatened.

This vulnerability is very harmful and difficult to repair. Felix Wilhelm, who discovered the security flaw via source code review, says that:

The big problem with this feature is that it is highly vulnerable to injection attacks. As the
runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.

I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class.

At present, Github has announced a fix and requires users to immediately upgrade to block the vulnerability, and the company will continue to release fixes to solve the problem.

As for the details of the vulnerability, all the details have been announced so some attackers may immediately use the vulnerability to launch attacks, so developers also need to be alert to potential attacks. Microsoft and Github have not yet issued a statement on this matter

Via: Neowin