Google’s Project Zero (GPZ) team on Tuesday disclosed a high-severity vulnerability in GitHub’s Actions runner feature that could allow attackers to remotely execute code on affected systems. 

The bug was discovered by Project Zero’s Felix Wilhelm on July 21. According to Wilhelm, the flaw deals with the fact that Actions’ workflow commands are “highly vulnerable to injection attacks”. These workflow commands act as a communication channel between the Action runner and the executed action.

“The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed. I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class,” Wilhelm explained in a Project Zero report.

Following the discovery of the bug on July 21, Google’s research team contacted GitHub with information about the vulnerability in their platform. The research team gave GitHub a 90-day deadline under the revised disclosure policy (which expired on October 18th) to fix the issue before publicly revealing the details of the bug. 

For those unaware, under the revised disclosure policy, GPZ will wait for at least 90 days before publicly revealing the details of a security bug, even if the bug is fixed ahead of that deadline. Also, vendors can request an additional 14-day grace period from Google if they believe they won’t be able to fix the reported vulnerability within 90 days.

With the deadline approaching, GitHub issued a security advisory on October 1 and deprecated the vulnerable commands, set-env and add-path. It also posted a description of the issue and disputed that what GPZ had found was, in fact, a “moderate security vulnerability” and assigned the bug the tracking identifier CVE-2020-15228. The advisory urged users to update their workflows.

“A moderate security vulnerability has been identified in the GitHub Actions runner that can allow environment variable and path injection in workflows that log untrusted data to STDOUT,” the GitHub advisory said.

“This can result in environment variables being introduced or modified without the intention of the workflow author.”

“To address this issue we have introduced a new set of files to manage environment and path updates in workflows. If you are using self-hosted runners make sure they are updated to version 2.273.1 or greater.”

Wilhelm said that workflow commands in GitHub Action are hard to fix. “The way workflow commands are implemented is fundamentally insecure.” GitHub’s solution is to gradually remove the risky commands permanently.

On October 12, GPZ contacted GitHub and proactively offered it a 14-day grace period to fully disable the commands. The developer platform accepted the offer knowing that the bug would be publicly disclosed on November 2.

But just a day before the grace period came to an end, GitHub gave its official response and requested an additional 48-hour extension to notify customers of a fix at a future date. 

“GitHub responds and mentions that they won’t be disabling the vulnerable commands by 2020-11-02. They request an additional 48 hours, not to fix the issue, but to notify customers and determine a ‘hard date’ at some point in the future,” wrote Wilhelm. 

However, GPZ on Monday went ahead and disclosed the bug it reported because as per its policy, it cannot offer an extension beyond the 104 days (90 days + 14-day grace extension).

“Grace periods will not be granted for vulnerabilities that are expected to take longer than 104 days to fix,” Google Project Zero states on its 2020 disclosure policy