Karlston Posted November 3, 2020 Share Posted November 3, 2020 Google discloses 'high' severity security flaw in GitHub Google's Project Zero team is well-known for discovering vulnerabilities and bugs in Google's own software as well as that developed by other companies. Its methodology involves identifying security flaws in software and privately reporting them to vendors, giving them 90 days to fix them before public disclosure. Depending upon the complexity of the fix required, it sometimes also offers additional days in the form of a grace period. In specific scenarios, companies may even be given less than the standard 90 days to fix issues before Google publicly announces them. Over the past couple of years, the team has revealed major vulnerabilities in Windows, Windows 10 S, macOS kernel, and iOS, among others. A couple of days ago, the security team disclosed a zero-day exploit present in various versions of Windows, and today it has revealed a security flaw in GitHub. The vulnerability has been classified as a "high" severity issue by Google Project Zero. We'll spare you the nitty-gritty technical details - and you're free to view them in detail here if you want - but the meat of the matter is that workflow commands in GitHub Actions are extremely vulnerable to injection attacks. For those unaware, workflow commands act as a communication channel between executed actions and the Action Runner. Felix Wilhelm, who discovered the security flaw via source code review, says that: The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed. I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class. In his original post, Wilhelm went on to say that he's unsure how to fix the issue as the way workflow commands are implemented is "fundamentally insecure". A short-term solution would be to deprecate the command syntax, whereas a long-term fix would involve moving workflow commands to some out-of-bound channel, but that would also break other pieces of dependent code. Following the discovery of the security flaw on July 21, the Project Zero team naturally reached out to GitHub with information about the vulnerability, giving them the standard 90 days to resolve it - which would expire on October 18. At the start of October, GitHub decided to deprecate vulnerable commands and sent out an advisory about a "moderate security vulnerability", asking users to update their workflows. On October 16, GitHub accepted Google's 14-day grace period to fully disable the commands, making November 2 the new deadline. There was officially radio silence from GitHub since October 28. On November 1, GitHub requested the Project Zero team to allocate an additional 48 hours. However, this additional grace period was not to patch the issue, but to further notify customers and to determine a "hard date" to fix the vulnerability. As this is not in line with Project Zero's standard disclosure process, the flaw has been made public by the security team today with a proof-of-concept code made available as well. Editor's Note: The last paragraph has been slightly modified for more clarity. Google discloses 'high' severity security flaw in GitHub Link to comment Share on other sites More sharing options...
steven36 Posted November 4, 2020 Share Posted November 4, 2020 Lol like they disclosed anything that GitHub haven't already they disclosed this bug themselves OCT 1st. They should of disclosed this when GitHub made it public. https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ Only reason they didn't want Google to disclose it was they didn't want the public drama from the outside saying oh no look Google disclosed a 0day on GitHub and . Most reporters dont go to GitHub to get security news about GitHub if they did they would know it was disclosed a month ago. https://github.com/advisories/GHSA-mfwh-5m23-j46w GitHub thinks its no big deal they said it was a moderate issue they more worried about if they turn it off it will break 1000s of builds (production) than security or they would turned it off already and this is not going to make them fix it any faster they lot more stuff wrong with that site too https://github.com/advisories Why do a branch of a trillion dollar company only have one engineer or a small team of them to begin with? The reason steam from the CEO down it's the organization's fault not the engineer. If it was on GitHub's high list of priorities the CEO would have it fixed . M$ paid 7 Billion Dollars for it why they not get it fixed by now? Witch to believe about it? Google says it's High risk GitHub says it's moderate CVE says its low risk https://nvd.nist.gov/vuln/detail/CVE-2020-15228 Google has a stricter set of security standards than GitHub does it seems. No body are even the same page here. Link to comment Share on other sites More sharing options...
3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.