Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Berlin. Show all posts

Secrets from Public Repositories Were Exposed Due to Travis CI Flaw

 

Travis CI, a continuous integration provider located in Berlin, has patched a severe issue that exposed signing keys, API keys, and access credentials, possibly putting thousands of companies at risk. Given the possible consequences, the firm has been criticized for not providing a more detailed description of the security vulnerability. Péter Szilágyi, the Ethereum cryptocurrency project's team head, tweeted, "Anyone could exfiltrate these [secrets] and gain lateral movement into 1000s of orgs."

The flaw, which has been tracked as CVE-2021-41077, has been fixed by Travis CI. It has been recommended that companies update their secrets as soon as possible. On Sept. 7, Szilágyi tweeted, the vulnerability was identified by Felix Lange and reported to Travis CI. Travis CI claims to have started fixing the vulnerability on September 3, indicating that it detected the problem before being contacted, although the timing is unclear. 

"The desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens," the vulnerability description reads. "However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process." 

To put it another way, a public repository cloned from another might submit a pull request to get access to private environmental variables stored in the upstream repository. Encrypted environment variables are not exposed to pull requests from forks owing to the security risk of exposing such information to unknown code, Travis CI said in its documentation. 

According to Geoffrey Huntley, an Australian software and DevOps engineer, Travis CI's vulnerability poses a supply chain risk for software developers and any organization using software from Travis CI projects. "For a CI provider, leaking secrets is up there with leaking the source code as one of the worst things you never want to do," Huntley says. 

Szilágyi further chastised Travis CI for downplaying the event and failing to acknowledge its "gravity," and urged GitHub to ban the company for its weak security posture and vulnerability report methods. 

"After three days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th," Szilágyi tweeted. "No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen."

Berlin accused Russian hackers of preparing cyberattacks before the elections

Andrea Sasse, a spokesman for the German Foreign Ministry, said that German intelligence agencies are recording the growing activity of hackers allegedly connected with Russia.

"The German government calls on the Russian government to immediately stop this illegal cyber activity," she said.

According to the publication Suddeutsche Zeitung, the Federal Office for the Protection of the Constitution (which performs counterintelligence functions in Germany) and the Federal Office for Information Security also warn about the threat of hacker attacks. According to them, hackers have recently been increasingly attacking the personal and official email addresses of members of parliament.

The intelligence service warns that hackers can use the data obtained "to publish personal and intimate information or even fabricated fake news."

"The federal government has reliable information that [the hacker group] Ghostwriter, cybercriminals of the Russian state and, in particular, the Russian military intelligence of the GRU are behind the attacks," Sasse said. According to her, Berlin considers what is happening "as a heavy burden for bilateral relations."

According to U.S. cybersecurity company FireEye, Ghostwriter has existed since at least 2017, it acts "in accordance with the security interests of Russia." The group specializes in spreading disinformation, primarily among residents of Lithuania, Latvia and Poland, mainly about the attitude to the presence of NATO forces in Eastern Europe.

In May 2020, German Chancellor Angela Merkel announced that there was evidence of Russia's involvement in a cyberattack on the systems of the German parliament in 2015. Then a Trojan program was launched into the Bundestag computer system, the attackers managed to gain access to internal documents. The German prosecutor's office issued an arrest warrant for Russian Dmitry Baden, accusing him of working for the Russian secret services. According to German intelligence agencies, Sofacy and APT28 groups were behind the attack, which were "financed by the Russian government."