Hashicorp revoked private key exposed in Codecov security breach

A private code-signing key was exposed by a compromised Codecov script, open source company HashiCorp said in its discussion forum.

Codecov, which makes software auditing tools for developers to see how thoroughly their code is being tested, revealed earlier this month that the script used to upload data to its servers had been modified by unknown actors. The script took advantage of the fact that Codecov’s tools have access to internal accounts and exported those credentials to an unauthorized server.

HashiCorp was one of Codecov’s customers affected by the tampered script, Jamie Finnigan, director of product security at HashiCorp, wrote on the company’s discussion forum last week. HashiCorp’s Terraform product is an open source infrastructure-as-code software tool widely used for automated cloud deployments.

“[HashiCorp] found that a subset of HashiCorp CI pipelines used the affected Codecov component,” Finnigan wrote, noting that the GPG [Gnu Privacy Guard] private key used for signing hashes used to validate HashiCorp product downloads had been exposed.

Revoking the key

The dangerous thing about having a private key exposed is that an attacker could use it to sign anything and the signed file will look as if it was a legitimate file from the owner of the key. In this case, the concern was that someone could have modified one of HashiCorp’s downloads to include malicious code and then resigned it with the private key. As far as anyone would be able to tell, that file was an update from HashiCorp and it was safe to download and install.

HashiCorp’s Finnigan said its investigation did not show that any of its existing releases had been modified. The company revoked the exposed key and re-signed its downloadables with a brand-new key.

“[The] GPG key used for release signing and verification has been rotated,” Finnigan wrote. “Customers who verify HashiCorp release signatures may need to update their process to use the new key.”

While all official downloads on HashiCorp’s website have been signed with the new key, there are still some problems for HashiCorp customers. In environments where HashiCorp product downloads are manually or automatically validated, customers will need to manually update to reflect the key change. Also, Terraform downloads provider binaries and performs signature verification as part of one process during automatic code verification, and that process is still using the revoked key.

“HashiCorp will publish patch releases of Terraform and related tooling which will update the automatic verification code to use the new GPG key,” Finnigan said. Until then, customers can manually verify Terraform the new key and signatures.

Supply chain attack impact

This is just one of many disclosures as companies assess whether they were impacted by Codecov’s security breach. More than 29,000 enterprise customers worldwide use Codecov’s tools and the malicious script was present from Jan. 31 until its discovery on April 1. Codecov discussed the breach and how credentials, tokens, and keys could potentially have been exposed in a blog post on April 15.

CircleCI, a continuous integration and continuous delivery platform, confirmed to Cybersecurity Dive that the Codecov breach impacted its integration with the code testing firm CircleCI Orb.

Codecov’s breach is a form of supply chain attack, where attackers target a company’s suppliers or vendors. By compromising Codecov, the attackers got their hands on all kinds of API keys, login credentials, and other security information. In the case of HashiCorp, if the attackers had tampered with the company’s tools, that would be yet another supply chain attack because those tools are widely used within enterprises.

It’s possible the attackers may have used the harvested credentials in other attacks that have not yet been discovered. The fact that HashiCorp’s private key was exposed is bad enough — but the company hasn’t said if anything else had been stolen or compromised.

“HashiCorp has performed additional remediations related to information potentially exposed during this incident,” Finnigan said, but did not provide details about what else may have been harvested.