DevOps firm slammed for ‘abysmal’ incident response
Concern is growing within the infosec community that a breach at DevOps platform vendor Travis CI might run deeper than the firm has so far been prepared to admit.
Travis CI, a continuous integration and continuous delivery (CI/CD) service for cloud platform projects, admitted to an issue in a post on its community forums while also downplaying its significance:
According to a received report, a public repository forked from another one could file a pull request (standard functionality e.g in GitHub, BitBucket, Assembla) and while doing it, obtain unauthorized access to secret from the original public repository with a condition of printing some of the flies during the build process.
In this scenario secrets are still encrypted in the Travis CI database.
The issue is valid only for public repositories not private repositories. (In case of private repository, repository owner has a full control on ability of someone to fork the repository.)
The vendor said that it has resolved the underlying problem with a series of security patches, adding that users should consider making changes to their pass codes and authentication tokens as a precaution.
Security researcher Péter Szilágyi, team leader at Etherium, slammed Travis CI for dismissing a security breach that posed a supply chain poisoning risk to enterprises that used the vendor in their software development process.
“Between Sept 3 and Sept 10, secure env vars of *all* public @travisci repositories were injected into PR [pull request] builds,” Szilágyi said in a thread on Twitter. “Signing keys, access creds, API tokens. Anyone could exfiltrate these and gain lateral movement into 1000s of orgs.
“Felix Lange found this on the 7th and we’ve notified @travisci within the hour. Their only response being ‘Oops, please rotate the keys’, ignoring that *all* their infra[structure] was leaking.”
Szilágyi further criticised Travis CI for its failure to acknowledge reports of vulnerabilities to its systems or to follow incident response best practices. “No analysis, no security report, no post-mortem, not warning any of their users that their secrets might have been stolen,” he concluded.
Their poor handling of the problem ought to prompt its enterprise users to consider migrating away from Travis CI, Szilágyi advised.
Infosec specialist Jake Williams agreed that Travis CI was guilty of an “abysmal failure in handling an extremely serious vulnerability”.
Travis CI is yet to respond to multiple requests from The Daily Swig to respond to these criticisms.
Even less critical third party observers noted that users attempting to follow Travis CI’s advice would likely run into practical difficulties.
“The fact that @travisci posted this without a straightforward way to see which of your repos are (1) public and (2) have build secrets is garbage,” said yan, a security engineer working on the privacy-focused Brave browser.