Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks.
The issue — tracked as CVE-2021-41077 — concerns unauthorized access and plunder of secret environment data associated with a public open-source project during the software build process. The problem is said to have lasted during an eight-day window between September 3 and September 10.
Felix Lange of Ethereum has been credited with discovering the leakage on September 7, with the company’s Péter Szilágyi pointing out that “anyone could exfiltrate these and gain lateral movement into 1000s of [organizations].”
Travis CI is a hosted CI/CD (short for continuous integration and continuous deployment) solution used to build and test software projects hosted on source code repository systems like GitHub and Bitbucket.
“The desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens,” the vulnerability description reads. “However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process.”
In other words, a public repository forked from another one could file a pull request that could obtain secret environmental variables set in the original upstream repository. Travis CI, in its own documentation, notes that “Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code.”
It has also acknowledged the risk of exposure stemming from an external pull request: “A pull request sent from a fork of the upstream repository could be manipulated to expose environment variables. The upstream repository’s maintainer would have no protection against this attack, as pull requests can be sent by anyone who forks the repository on GitHub.”
Szilágyi also called out Travis CI for downplaying the incident and failing to admit the “gravity” of the issue, while also urging GitHub to ban the company over its poor security posture and vulnerability disclosure processes. “After three days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th,” Szilágyi tweeted. “No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen.”
The Berlin-based DevOps platform company on September 13 published a terse “security bulletin,” advising users to rotate their keys on a regular basis, and followed it up with a second notice on its community forums stating that it has no found no evidence the bug was exploited by malicious parties.
“Due to the extremely irresponsible way [Travis CI] handled this situation, and their subsequent refusal to warn their users about potentially leaked secrets, we can only recommend everyone to immediately and indefinitely transfer away from Travis,” Szilágyi added.