Head over to our on-demand library to view sessions from VB Transform 2023. Register Here
A private code-signing key was exposed by a compromised Codecov script, open source company HashiCorp said in its discussion forum.
Codecov, which makes software auditing tools for developers to see how thoroughly their code is being tested, revealed earlier this month that the script used to upload data to its servers had been modified by unknown actors. The script took advantage of the fact that Codecov’s tools have access to internal accounts and exported those credentials to an unauthorized server.
HashiCorp was one of Codecov’s customers affected by the tampered script, HashiCorp product security director Jamie Finnigan wrote on the company’s discussion forum last week. HashiCorp’s Terraform product is an open source infrastructure-as-a-code software tool widely used for automated cloud deployments.
“[HashiCorp] found that a subset of HashiCorp CI pipelines used the affected Codecov component,” Finnigan wrote, noting that the GPG [Gnu Privacy Guard] private key used for signing hashes used to validate HashiCorp product downloads had been exposed.
VB Transform 2023 On-Demand
Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.
Revoking the key
The dangerous thing about having a private key exposed is that an attacker can use it to sign anything and the signed file will look like a legitimate file from the owner of the key. In this case, the concern was that someone could have modified one of HashiCorp’s downloads to include malicious code and then re-signed it with the private key. As far as anyone would be able to tell, that file would appear to be an update from HashiCorp that was safe to download and install.
Finnigan said the company’s investigation did not show that any of its existing releases had been modified. HashiCorp revoked the exposed key and re-signed its downloadables with a brand-new key.
“[The] GPG key used for release signing and verification has been rotated,” Finnigan wrote. “Customers who verify HashiCorp release signatures may need to update their process to use the new key.”
While all official downloads on HashiCorp’s website have been signed with the new key, there are still some problems for HashiCorp customers. In environments where HashiCorp product downloads are manually or automatically validated, customers will need to manually update to reflect the key change. Also, Terraform downloads provider binaries and performs signature verification as part of one process during automatic code verification, and that process is still using the revoked key.
“HashiCorp will publish patch releases of Terraform and related tooling, which will update the automatic verification code to use the new GPG key,” Finnigan said. Until then, customers can manually verify Terraform has the new key and signatures.
Supply chain attack impact
This is just one of many disclosures as companies assess whether they were impacted by Codecov’s security breach. More than 29,000 enterprise customers worldwide use Codecov’s tools, and the malicious script was present from January 31 until its discovery on April 1. Codecov discussed the breach and how credentials, tokens, and keys could potentially have been exposed in a blog post on April 15.
CircleCI, a continuous integration and delivery platform, confirmed to Cybersecurity Dive that the Codecov breach had impacted its integration with the code testing firm CircleCI Orb.
Codecov’s breach is a form of supply chain attack, where attackers target a company’s suppliers or vendors. By compromising Codecov, the attackers got their hands on all kinds of API keys, login credentials, and other security information. In the case of HashiCorp, if the attackers had tampered with the company’s tools, that would be yet another supply chain attack because those tools are widely used within enterprises.
It’s possible the attackers used the harvested credentials in other attacks that have not yet been discovered. The fact that HashiCorp’s private key was exposed is bad enough — but the company hasn’t said whether anything else has been stolen or compromised.
“HashiCorp has performed additional remediations related to information potentially exposed during this incident,” Finnigan said, but he did not provide details about what else may have been harvested.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.