A security flaw in Travis CI may reveal the secrets of thousands of open source projects that rely on the hosted Continuous Integration Service. Travis CI is a software testing solution used by over 900,000 open source projects and 600,000 users. A weak point in the tool made it possible to exfiltrate secure environment variables – signature keys, access data and API tokens of all public open source projects.
Worse still, the developer community is annoyed at the poor handling of the vulnerability disclosure process and the brief “security bulletin” that Travis had to enforce.
Environment variables inserted in pull request builds
Travis CI is a popular software testing tool because of its seamless integration with GitHub and Bitbucket. As the manufacturers of the tool explain:
When you do a build, Travis CI clones your GitHub repository into a brand new virtual environment and performs a series of tasks to build and test your code. If one or more of these tasks fail, the build is considered broken. If none of the tasks fail, the build is passed and Travis CI can host your code on a web server or application host.
But this month, researcher Felix Lange found a vulnerability that caused Travis CI to include secure environment variables from all open source public repositories that use Travis CI in pull request builds. Environment variables can contain confidential secrets such as signature keys, credentials and API tokens. When these variables are exposed, attackers can abuse the secrets to gain sideways movement into the networks of thousands of organizations.
A simple GitHub search shows that Travis is widely used on a wide variety of projects:
Enlarge / GitHub search results for travis.yml.
The bug, tracked as CVE-2021-41077, is present in the Travis CI activation process and affects certain builds made between September 3rd and September 10th. As part of this activation process, developers should add a .travis.yml file to their open source project repository. This file tells Travis CI what to do and can contain encrypted secrets. Another place where encrypted secrets can be defined is in the Travis web user interface. But these secrets are not to be divulged. In fact, Travis CI documents always state: “Encrypted environment variables are not available for pull requests from forks because there is a security risk that such information could be exposed to unknown code.”
Ideally, Travis should be run in such a way that it prevents public access to any specified secret environment variables.
“These secure environment variables … are configured on the Travis web user interface and remain the sole property of Travis,” Péter Szilágyi, leader of the Ethereum cryptocurrency project, told Ars. “These variables are then added to the environment in the builds but only for trusted code (i.e. code that has been merged). For external code (PRs), the env variables should not be included as the maintainer has no control over the code submitted by outsiders. The problem was they messed up something and injected the secret keys into untrustworthy builds as well. “
This vulnerability resulted in these types of secrets being unexpectedly disclosed to almost anyone browsing a public repository and printing files during a build process.
Fortunately, the problem didn’t last too long – about eight days, thanks to Lange and other researchers who notified the company of the bug on Sept. 7. But out of caution, all projects that rely on Travis CI are advised to rotate their secrets.
The vulnerability is not exactly similar, but is reminiscent of the Codecov supply chain attack, in which threat actors exfiltrated secrets and sensitive environmental variables of many Codecov customers from their CI / CD environments, which led to further data leaks at well-known companies.
“According to a report that was received, a public repository that was branched off from another could be a pull request (standard functionality, such as printing some of the flies during the build process,” said Montana Mendy of Travis CI in a security bulletin. “In this scenario Secrets still encrypted in the Travis CI database. “
Mendy says the problem only applies to public repositories and not private repositories, as repository owners of the latter have full control over who can fork their repositories.
Community angry about flimsy “security bulletin”
Aside from the presence and relatively quick fix of the bug, Travis CI’s succinct security bulletin and the general handling of the coordinated disclosure process enraged the developer community.
In a long Twitter thread, Péter Szilágyi describes the arduous process his group went through while waiting for Travis CI to take action and publish a short security bulletin on an obscure website.
Between September 3rd and September 10th, safe environment variables were injected into PR builds from * all * @travisci public repositories. Signing of keys, access authorizations, API tokens.
Anyone could exfiltrate this and gain sideways movement into thousands of organizations. #security 1 / 4https: //t.co/i23jFzAjjH
– Péter Szilágyi (Karalabe.eth) (@peter_szilagyi) September 14, 2021
“After 3 days of printing through several projects, [Travis CI] tacitly patched the problem on the 10th. No analysis, no safety report, no autopsy, no warning to its users that their secrets may have been stolen, “Szilágyi tweeted.
After Szilágyi and Lange asked GitHub to ban Travis CI because of its poor security situation and the disclosure of vulnerabilities, a recommendation surfaced. “Finally, after several ultimatums from several projects, [they] posted this lame post hidden deep where no one will read it … Not even a single ‘thank you’. [No] Recognition of Responsible Disclosure. Not even admitting the seriousness of the whole thing, “said Szilágyi, referring to the security bulletin – and above all to its abridged version, which contained hardly any details.
Enlarge / Yes, this is a legitimate security bulletin.
Szilágyi was supported by several members of the community in criticizing the bulletin. Boston-based web developer Jake Jarvis described the disclosure as “an insanely embarrassing ‘security bulletin'”.
But Travis CI believes that rotating secrets are something developers should be doing anyway. “Travis CI implemented a number of security patches effective September 3rd that address this issue,” concluded Mendy on behalf of the Travis CI team. “As a reminder, your secrets should be traversed regularly by all users. If you are unsure how to do this, please contact support.”
Ars has asked both Travis CI and Szilágyi for further comments and we are awaiting their responses.
Update: 8:59 p.m. PT – Added answer from Szilágyi received after going to press, and cleared secrets are not revealed from the travis.yml file, as implied by the CVE advisory, but from Travis’ web interface.