CVE-2022-39321 - GitHub Actions Runner Vulnerability: Remote Command Injection in Docker Encoded Environment Variables

GitHub Actions Runner is an application that allows you to automate the execution of tasks using workflows, making it easy to integrate various tools and services in your development process. However, a critical vulnerability (CVE-2022-39321) has been discovered in certain GitHub Actions Runner versions, potentially allowing an attacker to exploit this bug to execute arbitrary commands on the host system. This vulnerability affects jobs that utilize container actions, job containers, or service containers with untrusted user inputs as environment variables.

Vulnerability Details

The issue is caused by a logic flaw in the way the environment variables are encoded into Docker commands executed by the GitHub Actions Runner. When the actions runner invokes Docker CLI to run job containers, service containers, or container actions, an attacker can craft malicious environment variables that allow them to escape the intended variable scope and modify the Docker command themselves. The vulnerability exists in versions prior to 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4.

An example of a malicious environment variable that exploits the vulnerability could look like this

  env:
    MALICIOUS_VAR: 'value"; docker run --rm -v host-path:/target-path some-image "'

When the actions runner includes this variable in a docker command, the variable value ”; docker run --rm -v host-path:/target-path some-image “ effectively breaks out of the original Docker command and starts executing a new command, potentially putting the system at risk.

Remediation and Mitigation

GitHub has already patched the vulnerability in the GitHub Actions Runner for their cloud service at github.com. The following patch versions have been released: 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4. If you are using GitHub Enterprise Server (GHES) or GitHub Advanced Security (GHAE), it is strongly recommended that you apply these patches to your instances to ensure that your runners automatically upgrade to the fixed versions.

Workaround

If you are unable to update your runner versions immediately, you can use the following workaround as a temporary measure: Remove any container actions, job containers, or service containers from affected jobs until you are able to upgrade the GitHub Actions Runner to a patched version.

References

* GitHub Actions Runner Repository - The official GitHub repository for the actions runner.
* GitHub Actions Runner Releases - The release page containing the patched versions of the runner.
* GitHub Advisory for CVE-2022-39321 - The official security advisory with details on the vulnerability and available patches.

Conclusion

CVE-2022-39321 is a critical vulnerability affecting certain versions of the GitHub Actions Runner. To ensure the security of your CI/CD pipelines, it is essential to update your runner instances to the latest patched version or apply the workaround mentioned above. Always be cautious when dealing with untrusted user inputs in environment variables to avoid introducing security risks into your projects.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 18:27:00 UTC