Press "Enter" to skip to content

Travis CI flaw exposed secrets for thousands of open source projects


Enlarge
Getty Images

A security flaw in Travis CI potentially exposed secrets for thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. However, a vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.

And, worse, the dev community is upset about the poor handling of the vulnerability disclosure process and a thinly worded “security bulletin” it had to force out of Travis.

Environment variables injected into PR builds

Travis CI remains a popular choice of software-testing tool among developers due to its seamless integration with GitHub and Bitbucket. As the makers of the tool explain it themselves:

When you run a build, Travis CI clones your GitHub repository into a brand-new virtual environment, and carries out a series of tasks to build and test your code. If one or more of those tasks fail, the build is considered broken. If none of the tasks fail, the build is considered passed and Travis CI can deploy your code to a web server or application host.

But this month, researcher Felix Lange found a security vulnerability that caused Travis CI to include secure environment variables of all public open source repositories that use Travis CI into pull request (PR) builds. Environment variables can include sensitive secrets like signing keys, access credentials, and API tokens. If exposed, attackers can abuse these secrets to obtain lateral movement into networks of thousands of organizations.

Just came in:  Nintendo Direct reveals new Kirby, Mario Party game, and more

A simple GitHub search demonstrates Travis is in widespread use by a large number of projects:

Enlarge / GitHub search results for “travis.yml.”

Tracked as CVE-2021-41077, the bug is present in Travis CI’s activation process and impacts certain builds created between September 3 and September 10. As a part of this activation process, developers are supposed to add a “.travis.yml” file to their open source project repository. This file tells Travis CI what to do and may contain encrypted secrets. But these secrets are not meant to be exposed. In fact, Travis CI’s docs have always stated, “encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code.”

Ideally, for a customer-provided “travis.yml” file present in their Git repository, Travis is expected to run in a manner that prevents public access to any secret environment variables specified in the YML file. Put simply, when a public project is forked (copied), the “.travis.yml” file, along with these secrets, gets included in the fork. This is what’s not supposed to happen. But this vulnerability caused such secrets to be unexpectedly exposed to just about anyone forking a public repository and printing files during a build process.

Fortunately, the issue seems to have lasted not too long—around eight days, thanks to Lange and other researchers who notified the company of the bug on September 7. But, out of caution, all projects relying on Travis CI are advised to rotate their secrets.

While not exactly similar in nature, the vulnerability has echoes of the Codecov supply chain attack in which threat actors had exfiltrated secrets and sensitive environment variables of many Codecov customers from their CI/CD environments, leading to further data leaks at prominent companies.

Just came in:  Amazon is reportedly working on an Alexa-powered soundbar and wall-mounted Echo

“According to a received report, a public repository forked from another one could file a pull request (standard functionality e.g. in GitHub, BitBucket, Assembla) and while doing it, obtain unauthorized access to secret from the original public repository with a condition of printing some of the flies during the build process,” explains Montana Mendy of Travis CI in a security bulletin. “In this scenario, secrets are still encrypted in the Travis CI database.”

Mendy states the issue only applies to public repositories and not private repositories, as repository owners of the latter have full control over who can fork their repositories.

Community furious over flimsy “security bulletin”

The presence and relatively quick patching of the flaw aside, Travis CI’s concise security bulletin and overall handling of the coordinated disclosure process has not sat well with the developer community.

In a long Twitter thread, Ethereum cryptocurrency project lead Péter Szilágyi details the arduous process that his company needed to endure for Travis CI to take action and release an elusive security bulletin at an obscure webpage:

“After 3 days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th. No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen,” tweeted Szilágyi.

Just came in:  You tell us: Is the Microsoft Surface Duo 2 hot or not?

After Szilágyi and Lange reached out to GitHub to have Travis CI banned over poor security posture and vulnerability disclosure process, an advisory showed up:

“Finally after multiple ultimatums from multiple projects [they] posted this lame ass post hidden deep where nobody will read it… Not even a single ‘thank you.’ [No] acknowledgment of responsible disclosure. Not even admitting the gravity of it all,” continued Szilágyi, while referring to the aforementioned security bulletin, and especially its abridged version that barely has any details:

Enlarge / Yes, that’s a legit security bulletin.

Szilágyi was joined by several members of the community criticizing the bulletin in the same thread. Boston-based web developer Jake Jarvis called it an “insanely embarrassing ‘security bulletin’.”

But team Travis thinks rotating your secrets is something you should be doing anyway. “Travis CI implemented a series of security patches starting on Sept 3rd that resolves this issue,” concluded Mendy on behalf of the Travis CI team. “As a reminder, cycling your secrets is something that all users should do on a regular basis. If you are unsure how to do this please contact Support.”

Ars has reached out to both Travis CI and Szilágyi for further comment, and we are awaiting their response.