[BreachExchange] Secrets from Public Repositories Were Exposed Due to Travis CI Flaw

Mon Sep 20 09:07:58 EDT 2021

https://www.ehackingnews.com/2021/09/secrets-from-public-repositories-were.html

Travis CI, a continuous integration provider located in Berlin, has patched
a severe issue that exposed signing keys, API keys, and access credentials,
possibly putting thousands of companies at risk. Given the possible
consequences, the firm has been criticized for not providing a more
detailed description of the security vulnerability. Péter Szilágyi, the
Ethereum cryptocurrency project's team head, tweeted, "Anyone could
exfiltrate these [secrets] and gain lateral movement into 1000s of orgs."

The flaw, which has been tracked as CVE-2021-41077, has been fixed by
Travis CI. It has been recommended that companies update their secrets as
soon as possible. On Sept. 7, Szilágyi tweeted, the vulnerability was
identified by Felix Lange and reported to Travis CI. Travis CI claims to
have started fixing the vulnerability on September 3, indicating that it
detected the problem before being contacted, although the timing is
unclear.

"The desired behavior (if .travis.yml has been created locally by a
customer, and added to git) is for a Travis service to perform builds in a
way that prevents public access to customer-specific secret environment
data such as signing keys, access credentials, and API tokens," the
vulnerability description reads. "However, during the stated 8-day
interval, secret data could be revealed to an unauthorized actor who forked
a public repository and printed files during a build process."

To put it another way, a public repository cloned from another might submit
a pull request to get access to private environmental variables stored in
the upstream repository. Encrypted environment variables are not exposed to
pull requests from forks owing to the security risk of exposing such
information to unknown code, Travis CI said in its documentation.

According to Geoffrey Huntley, an Australian software and DevOps engineer,
Travis CI's vulnerability poses a supply chain risk for software developers
and any organization using software from Travis CI projects. "For a CI
provider, leaking secrets is up there with leaking the source code as one
of the worst things you never want to do," Huntley says.

Szilágyi further chastised Travis CI for downplaying the event and failing
to acknowledge its "gravity," and urged GitHub to ban the company for its
weak security posture and vulnerability report methods.

"After three days of pressure from multiple projects, [Travis CI] silently
patched the issue on the 10th," Szilágyi tweeted. "No analysis, no security
report, no post mortem, not warning any of their users that their secrets
might have been stolen."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210920/175156d9/attachment.html>