J1  Rapid Response: Travis CI Flaw

by

On Monday, September 13, Travis CI put out a security bulletin obliquely mentioning a security problem. "As a reminder from the Support Team, cycling your secrets is something that all users should do on a regular basis per your company's security process. If you are unsure how to do this please contact Support and we would be happy to help you."

That wasn't much to go on until our friend and researcher Ax Sharma published a detailed history and description of the flaw in his article, "Travis CI flaw exposed secrets of thousands of open source projects". Ax explains, "Felix Lange found a security vulnerability that caused Travis CI to include secure environment variables of all public open source repositories that use Travis CI into pull request builds."

Our internal story

The engineering team at JupiterOne saw the article and checked our systems to see to what degree we are using TravisCI for our public repos. It turns out, we haven't used it in a while, so there wasn't much concern on our end. While we weren't at risk, we had to also make sure our customers were not affected either.

J1 Query: Were you affected?

As we thought it through, the question we think most J1 users will find most useful is, "Which PRs were created by users who are not members of my GitHub org that could have exposed secrets from Travis CI?". This type of query will help identify which PRs were created by unknown authors (e.g. authors that are not members of your GitHub organization) during the time that the vulnerability could have been exposed. You will want to audit each commit from those PRs to determine whether a bad actor attempted to access credentials from a Travis build.

FIND github_app
WITH name~=('travis' OR 'Travis')
THAT INSTALLED github_account
THAT OWNS github_repo
THAT HAS github_pullrequest
/* 9/03/2021 */
WITH _createdOn >= 1630627200000
/* 9/11/2021 */
AND _createdOn <= 1631318400000
AND author != undefined and author != ''
/* This is an unknown (e.g. untrusted) user */
THAT !OPENED github_user
RETURN
github_account.displayName,
github_repo.displayName,
github_repo.webLink,
github_pullrequest.displayName,
github_pullrequest.webLink,
github_pullrequest.author,
github_pullrequest.authorLogin

What you can do

For existing JupiterOne users who have enabled GitHub integration, you can run the query to interrogate your system for the vulnerability. Not a current JupiterOne user? You can run the query immediately when you register for your free, lifetime license. You'll get immediate access to the platform and can quickly find these issues and more.

The JupiterOne: Rapid Response Series provides immediate visibility into publicly announced issues that might be affecting the security of your systems. To be notified when a new update is published, sign up for our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Austin Kelleher
Austin Kelleher

Austin Kelleher leads the Integrations team at JupiterOne. His background is in building highly-scalable cloud systems, and he has been recently focused on modeling data for graph-based security analysis. Austin holds a B.S. in Computer Science from Penn State University.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.