CVE-2024-52587
📋 TL;DR
StepSecurity's Harden-Runner versions before 2.10.2 contain command injection vulnerabilities via environment variables that could allow attackers to execute arbitrary commands on GitHub Actions runners. This affects organizations using Harden-Runner for security hardening of their CI/CD pipelines. The risk is reduced because Harden-Runner typically runs as the first step in GitHub Actions jobs.
💻 Affected Systems
- StepSecurity Harden-Runner
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of GitHub Actions runner with ability to execute arbitrary commands, steal secrets, modify code, and pivot to internal systems.
Likely Case
Limited impact due to execution order constraints; potential for command execution if environment variables can be controlled by attackers.
If Mitigated
Minimal impact when using patched version or when Harden-Runner runs as first step with controlled environment variables.
🎯 Exploit Status
Exploitation requires control of environment variables and specific conditions; no known exploits currently exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.10.2
Vendor Advisory: https://github.com/step-security/harden-runner/security/advisories
Restart Required: No
Instructions:
Update GitHub Actions workflow to use 'step-security/harden-runner@v2.10.2' or later
Replace any references to older versions with the patched version
No restart required - changes take effect on next workflow run
🔧 Temporary Workarounds
Pin to specific safe version
allExplicitly use a vulnerable version while planning upgrade
uses: step-security/harden-runner@v2.9.0
Remove Harden-Runner temporarily
allTemporarily disable Harden-Runner while planning upgrade
# Remove or comment out the Harden-Runner step in your workflow
🧯 If You Can't Patch
- Restrict environment variable access in GitHub Actions workflows
- Implement additional security monitoring for runner activities
🔍 How to Verify
Check if Vulnerable:
Check GitHub Actions workflow YAML files for 'step-security/harden-runner' usage with version below 2.10.2Check Version:
grep -r 'step-security/harden-runner' .github/workflows/Verify Fix Applied:
Confirm workflow uses 'step-security/harden-runner@v2.10.2' or later📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in GitHub Actions logs
- Environment variable manipulation in pre-step stages
Network Indicators:
- Unexpected outbound connections from GitHub Actions runners
SIEM Query:
source="github-actions" AND "harden-runner" AND (version<2.10.2 OR suspicious_command_execution)🔗 References
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L40-L44
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L53
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L57
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L61
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L169
- https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L229
- https://github.com/step-security/harden-runner/commit/0080882f6c36860b6ba35c610c98ce87d4e2f26f
- https://github.com/step-security/harden-runner/security/advisories/GHSA-g85v-wf27-67xc
