Travis CI, a continuous integration vendor, has addressed a significant security hole that exposed API keys, access tokens, and passwords, putting enterprises that use public source code repositories at risk.
Unauthorized access and pillage of confidential environment data linked with a public open-source project during the software build process is the subject of the vulnerability, which has been assigned the number CVE-2021-41077. Between September 3 and September 10, the problem is alleged to have continued for eight days. On September 7, Ethereum’s Felix Lange was credited with uncovering the breach, with Péter Szilágyi of the company pointing out that anyone may withdraw these and gain lateral movement into thousands of organizations.
Travis CI is a hosted CI/CD (continuous integration and continuous deployment) solution for developing and testing software projects hosted on GitHub and Bitbucket.
If a customer has created a.travis.yml locally and added it to git, the desired behaviour is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data like signing keys, access credentials, and API tokens, as the vulnerability description reads. However, confidential material could be revealed to an unauthorized actor who forked a public repository and printed files during a build process during the claimed 8-day interval.
To put it another way, a public repository cloned from another may submit a pull request to get access to hidden environmental variables stored in the upstream repository. “Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code,” Travis CI says in its documentation.
It’s also stated that an external pull request might disclose environment variables: “A pull request made from a fork of the upstream repository could be modified to reveal environment variables.” Pull requests can be issued by anyone who forks the repository on GitHub, therefore the upstream repository’s maintainer would have no protection against this attack.
Szilágyi further chastised Travis CI for downplaying the incident and failing to acknowledge its “gravity,” and urged GitHub to ban the firm for its weak security posture and vulnerability report protocols. “On the 10th, [Travis CI] discreetly corrected the bug after three days of pressure from numerous projects,” Szilágyi tweeted. “There was no analysis, no security assessment, no post mortem, no notification to any of their users that their secrets had been stolen.”
On September 13, the Berlin-based DevOps platform company issued a brief “security bulletin” advising users to rotate their keys on a regular basis, and then followed up with a second notice on its community forums stating that it has found no evidence that the bug was exploited by malicious parties.
Szilágyi continued that because of Travis CI’s incredibly negligent handling of this matter, and their subsequent reluctance to alert its users about potentially disclosed secrets, they can only propose that everyone transfer away from Travis immediately and indefinitely.
