Home News Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects

    Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects


    Travis CI

    Steady integration vendor Travis CI has patched a severe safety flaw that uncovered API keys, entry tokens, and credentials, doubtlessly placing organizations that use public supply code repositories liable to additional assaults.

    The problem — tracked as CVE-2021-41077 — considerations unauthorized entry and plunder of secret setting knowledge related to a public open-source mission throughout the software program construct course of. The issue is claimed to have lasted throughout an eight-day window between September 3 and September 10.

    Felix Lange of Ethereum has been credited with discovering the leakage on September 7, with the corporate’s Péter Szilágyi pointing out that “anybody might exfiltrate these and acquire lateral motion into 1000s of [organizations].”

    Travis CI is a hosted CI/CD (brief for steady integration and steady deployment) resolution used to construct and take a look at software program initiatives hosted on supply code repository methods like GitHub and Bitbucket.

    “The specified habits (if .travis.yml has been created domestically by a buyer, and added to git) is for a Travis service to carry out builds in a means that forestalls public entry to customer-specific secret setting knowledge similar to signing keys, entry credentials, and API tokens,” the vulnerability description reads. “Nonetheless, throughout the said 8-day interval, secret knowledge may very well be revealed to an unauthorized actor who forked a public repository and printed information throughout a construct course of.”

    In different phrases, a public repository forked from one other one might file a pull request that would get hold of secret environmental variables set within the authentic upstream repository. Travis CI, in its personal documentation, notes that “Encrypted setting variables aren’t accessible to tug requests from forks because of the safety threat of exposing such info to unknown code.”

    It has additionally acknowledged the danger of publicity stemming from an exterior pull request: “A pull request despatched from a fork of the upstream repository may very well be manipulated to show setting variables. The upstream repository’s maintainer would haven’t any safety in opposition to this assault, as pull requests could be despatched by anybody who forks the repository on GitHub.”

    Szilágyi additionally referred to as out Travis CI for downplaying the incident and failing to confess the “gravity” of the problem, whereas additionally urging GitHub to ban the corporate over its poor safety posture and vulnerability disclosure processes. “After three days of stress from a number of initiatives, [Travis CI] silently patched the problem on the tenth,” Szilágyi tweeted. “No evaluation, no safety report, no submit mortem, not warning any of their customers that their secrets and techniques might need been stolen.”

    The Berlin-based DevOps platform firm on September 13 revealed a terse “security bulletin,” advising customers to rotate their keys regularly, and adopted it up with a second notice on its neighborhood boards stating that it has no discovered no proof the bug was exploited by malicious events.

    “As a result of extraordinarily irresponsible means [Travis CI] dealt with this case, and their subsequent refusal to warn their customers about doubtlessly leaked secrets and techniques, we will solely suggest everybody to instantly and indefinitely switch away from Travis,” Szilágyi added.

    Source link