Steady integration vendor Travis CI has patched a critical safety flaw that uncovered API keys, entry tokens, and credentials, doubtlessly placing organizations that use public supply code repositories liable to additional assaults.
The difficulty — tracked as CVE-2021-41077 — issues unauthorized entry and plunder of secret atmosphere knowledge related to a public open-source challenge through the software program construct course of. The issue is claimed to have lasted throughout an eight-day window between September 3 and September 10.
Felix Lange of Ethereum has been credited with discovering the leakage on September 7, with the corporate’s Péter Szilágyi pointing out that “anybody may exfiltrate these and achieve lateral motion into 1000s of [organizations].”
Travis CI is a hosted CI/CD (quick for steady integration and steady deployment) answer used to construct and check software program initiatives hosted on supply code repository techniques like GitHub and Bitbucket.
“The specified conduct (if .travis.yml has been created regionally by a buyer, and added to git) is for a Travis service to carry out builds in a method that forestalls public entry to customer-specific secret atmosphere knowledge similar to signing keys, entry credentials, and API tokens,” the vulnerability description reads. “Nonetheless, through the acknowledged 8-day interval, secret knowledge may very well be revealed to an unauthorized actor who forked a public repository and printed information throughout a construct course of.”
In different phrases, a public repository forked from one other one may file a pull request that would acquire secret environmental variables set within the unique upstream repository. Travis CI, in its personal documentation, notes that “Encrypted atmosphere variables aren’t accessible to tug requests from forks as a result of safety danger of exposing such info to unknown code.”
It has additionally acknowledged the chance of publicity stemming from an exterior pull request: “A pull request despatched from a fork of the upstream repository may very well be manipulated to show atmosphere variables. The upstream repository’s maintainer would haven’t any safety in opposition to this assault, as pull requests may be despatched by anybody who forks the repository on GitHub.”
Szilágyi additionally known as out Travis CI for downplaying the incident and failing to confess the “gravity” of the problem, whereas additionally urging GitHub to ban the corporate over its poor safety posture and vulnerability disclosure processes. “After three days of stress from a number of initiatives, [Travis CI] silently patched the problem on the tenth,” Szilágyi tweeted. “No evaluation, no safety report, no submit mortem, not warning any of their customers that their secrets and techniques might need been stolen.”
The Berlin-based DevOps platform firm on September 13 revealed a terse “security bulletin,” advising customers to rotate their keys frequently, and adopted it up with a second notice on its neighborhood boards stating that it has no discovered no proof the bug was exploited by malicious events.
“Because of the extraordinarily irresponsible method [Travis CI] dealt with this case, and their subsequent refusal to warn their customers about doubtlessly leaked secrets and techniques, we will solely suggest everybody to right away and indefinitely switch away from Travis,” Szilágyi added.