https://safirsoft.com Travis CI flaw reveals secrets of thousands of open source projects

Developers are angry at Travis CI's highly embarrassing "security bulletin". Travis CI is a software testing solution used by over 900,000 open source projects and 600,000 users. However, the vulnerability in this tool could remove the secure environment variables - signature keys, credentials, and API codes for all public open source projects.

Even worse, the developer community is upset about the poor management of the vulnerability disclosure process and the kind word "security bulletin" that should have come out of Travis.

Environmental variables that are entered in the public relations building. Trahis CI remains a popular software testing tool among developers due to its seamless integration with GitHub and Bitbucket. As the tool makers explain:

When you run a build, Travis CI simulates your GitHub repository in a completely new virtual environment and creates a set of tasks to build and test your code. If one or more tasks are not performed, the structure will be considered broken. If none of the tasks are executed, the build will be considered and Travis CI can put your code on the web server or application host.

But this month, researcher Felix Lange discovered a vulnerability that caused Travis CI to include secure environment variables for all open source public repositories that use Travis CI to build traction requests (PR). Slowly, environmental variables can include sensitive secrets such as key signatures, access credentials, and API tokens. If exposed, attackers could exploit these secrets to gain access to the networks of thousands of organizations.

A simple GitHub search indicates that Travis is in widespread use in a large number of projects:

GitHub search results for "travis.yml." Zoom / GitHub search results for "travis. yml."

Followed by CVE-2021-41077, these errors are in an activation process Travis CI and affect some structures built between September 3 and September 10. As part of this activation process, developers must add “.travis.yml” to their open source project repository. This file tells Travis CI what to do and may contain encrypted secrets. But these secrets will not be revealed. In fact, the Travis CI documentation has always stated, "Environmentally encoded variables are not available to pull requests out of control because the security risks of putting such information into code are unknown."

Advertising

Ideally for the customer - by providing a "travis.yml" file in their Git repository, Travis is expected to operate in a way that preserves public access to any environment variables that are hidden by the block specified in the YML file. Simply put, when a public project is forged (copied), the ".travis.yml" file with these secrets is confiscated. This is not going to happen. But this vulnerability caused such secrets to be unexpectedly revealed to anyone who prints and prints files while building a public repository. Fortunately, this appears to have taken a long time — thanks to Long and other researchers who reported the bug to the company on September 7. But, with caution, all Travis CI-based projects are advised to change their secrets. The vulnerability is a reflection of the Codecov supply chain attack, in which actors exposed threatening secrets and environmentally sensitive variants to many Codecov customers from their CI/CD environment, leading to further information leaks at high-profile companies.

"According to a report received, a public repository sent from another source can send a pull request (standard functionality such as GitHub, BitBucket, Assembla) and while doing so," Travis CI's Montana Mandy explains in a bulletin Safe printing conditions for some flies during the manufacturing process. "In this scenario, the secrets are still in the database. Travis CI data is encrypted."

Mandy says this only applies to public repositories, not private repositories, because the owners of the last repositories have complete control over who they can branch. It's not very good for developers. Obscure webpage:

ad

Between September 3rd and September 10th, secure *public* versions of travisci repositorie files were inserted into PR buildings, signature keys, access credits, and API codes ( API). Anyone can improve it and make a sideways movement in thousands of organizations. Keep GitHub to block Travis CI due to poor security and recommend vulnerabilities disclosure:

where no one reads it...not even the words "thank you". [No] confirm responsible disclosure. “Without acknowledging the importance of all this,” Silaji continued, referring to the above-mentioned security bulletin, and in particular its hard-to-detail summary:

“Yes, Zoom / Yes, this is a legal security bulletin.

Several forum members to Szilágyi criticized the bulletin on the same topic, describing it as an "embarrassing" security bulletin by Boston-based web developer Jake Jarvis. "Travis CI has implemented a series of security patches since September 3 that address this issue," Mandy said on behalf of the Travis CI team. "As a reminder, rotating your secrets is something all users should do on a regular basis. If you are not sure how to do this, please contact support."

Ars contacted Travis CI and Szilágyi. We look forward to hearing from you later.

Travis CI flaw reveals secrets of thousands of open source projects
travis-ci-flaw-reveals-secrets-of-thousands-of-open-source.html

https://safirsoft.com Three 0 days on iOS showed researcher disappointed with rewarding Apple bugs

Three 0 days on iOS showed researcher disappointed with rewarding Apple bugs

Public disclosure follows other grievances about Apple's behavior to reward bugs.

Yesterday, a fictional security researcher revealed three s...

https://safirsoft.com Exchange / Outlook showed an error auto detecting more than 100,000 email passwords

Exchange / Outlook showed an error auto detecting more than 100,000 email passwords

A flaw in the Autodiscover protocol could expose email passwords to third parties. essential. This flaw allows attackers who buy domains called "autod...
https://safirsoft.com The chip shortage is now exacerbated by labor shortages

The chip shortage is now exacerbated by labor shortages

Material costs will also rise and the shortage will continue until 2022.

According to a new industry survey, the shortage of semiconductor ch...

https://safirsoft.com Security audit raises stern warnings about Chinese smartphone models

Security audit raises stern warnings about Chinese smartphone models

The audit flagged Xiaomi and Huawei but it's licensed to OnePlus. The Lithuanian National Cyber ​​Security Center (NCSC) recently released a secur...
https://safirsoft.com Patched macOS vulnerability allows remote attackers to execute code

Patched macOS vulnerability allows remote attackers to execute code

Internet shortcuts have the ability to execute code. The latest Mac is not fully patched.

macOS Code Execution Error Apple allows remote atta...

https://safirsoft.com The Linux Foundation says companies lean on open source talent

The Linux Foundation says companies lean on open source talent

A 2021 survey shows that 97% of hiring managers prioritize free and open source software careers.

The Linux Foundation released its 2021 Open...