Travis CI flaw exposed the secrets of thousands of open source projects

Travis CI flaw exposed the secrets of thousands of open source projects

fake images

A security flaw in Travis CI potentially exposed secrets from thousands of open source projects that rely on the hosted Continuous Integration Service. Travis CI is a software testing solution used by more than 900,000 open source projects and 600,000 users. However, a vulnerability in the tool made it possible for secure environment variables (signing keys, access credentials, and API tokens from all public open source projects) to be exfiltered.

Worse still, the developer community is upset by the mishandling of the vulnerability disclosure process and a thinly worded “security bulletin” he had to eject from Travis.

Environment variables injected into PR builds

Travis CI is a popular software testing tool choice among developers due to its seamless integration with GitHub and Bitbucket. As creators of the tool explain that:

When you run a build, Travis CI clones your GitHub repository into a completely new virtual environment and performs a series of tasks to compile and test your code. If one or more of those tasks fail, the build is considered broken. If none of the tasks fail, the build is considered passed and Travis CI can deploy his code to a web server or application host.

But this month, researcher Felix Lange found a security vulnerability that caused Travis CI to include secure environment variables from everybody Open source public repositories using Travis CI in pull request (PR) builds. Environment variables can include sensitive secrets such as signing keys, access credentials, and API tokens. If exposed, attackers can abuse these secrets to gain lateral movement across the networks of thousands of organizations.

A simple GitHub search shows that Travis is widely used in a large number of projects:

GitHub search results for
Enlarge / GitHub search results for “travis.yml”.

Registered as CVE-2021-41077, the bug is present in the Travis CI activation process and impacts certain builds created between September 3-10. As part of this activation process, developers are supposed to add a “.travis.yml” file to their open source project repository. This file tells Travis CI what to do and may contain encrypted secrets. But these secrets are not meant to be exposed. In fact, the Travis CI docs have always said that “encrypted environment variables are not available to extract branch requests due to the security risk of exposing such information to unknown code.”

Ideally, for a customer-supplied “travis.yml” file present in your Git repository, Travis is expected to run in a way that prevents public access to any secret environment variables specified in the YML file. Simply put, when a public project is forked (copied), the “.travis.yml” file, along with these secrets, is included in the fork. This is what is not supposed to happen. But this vulnerability caused such secrets to be unexpectedly exposed to almost anyone who forks a public repository and prints files during a build process.

Fortunately, the problem doesn’t seem to have lasted long, around eight days, thanks to Lange and other researchers who notified the company of the bug on September 7. But as a precaution, all projects that rely on Travis CI are advised to rotate his mysteries.

While not exactly similar in nature, the vulnerability has echoes of Codecov’s supply chain attack in which threat actors had exfiltrated secrets and sensitive environment variables from many Codecov clients from their CI / CD environments, leading to more data leaks at prominent companies.

“According to a report received, a public repository forked from another could submit a pull request (standard functionality, for example, on GitHub, BitBucket, Assembla) and, while doing so, gain unauthorized access to the original public repository secret with a condition of printing some of the flies during the construction process, “explains Montana Mendy of Travis CI in a security bulletin. “In this scenario, the secrets are still encrypted in the Travis CI database.”

Mendy claims that the problem only applies to public repositories and not private ones, as the owners of the latter have full control over who can fork their repositories.

Community furious over flimsy “security bulletin”

The presence and relatively quick repair of the flaw aside, Travis CI’s concise security bulletin and overall handling of the coordinated disclosure process has not sat well with the developer community.

In a long Twitter thread, Ethereum cryptocurrency project leader Péter Szilágyi details the arduous process his company had to go through for Travis CI to take action and launch an elusive security bulletin on an unknown website:

“After three days of pressure for various projects, [Travis CI] it quietly fixed the problem on the 10th. No analysis, no security report, no autopsy, without warning any of its users that their secrets might have been stolen, “Szilágyi tweeted.

After Szilágyi and Lange contacted GitHub to ban Travis CI due to poor security posture and a vulnerability disclosure process, a notice appeared:

“Finally, after multiple ultimatums from multiple projects [they] posted this silly post hidden deep where no one will read it … not even a single ‘thank you’. [No] acknowledgment of responsible disclosure. Not even admitting the seriousness of everything, “Szilágyi continued, referring to the aforementioned security bulletin, and especially to his shortened version which has hardly any details:

Yes, it is a legitimate security bulletin.
Enlarge / Yes, it is a legitimate security bulletin.

Szilágyi was joined by several community members who criticized the newsletter in the same thread. Boston-based web developer Jake Jarvis called is an “incredibly embarrassing security bulletin.”

But Travis’s team believes that rotating your secrets is something you should be doing anyway. “Travis CI implemented a number of security patches as of September 3 that address this issue,” concluded Mendy on behalf of the Travis CI team. “As a reminder, all users should cycle their secrets regularly. If you are unsure how to do this, please contact Support.”

Ars has reached out to Travis CI and Szilágyi for further comment, and we are awaiting their response.

Leave a Reply

Your email address will not be published. Required fields are marked *