The recently disclosed security incident at CicleCI has put customers in a pinch to update any secrets stowed inside their systems.
Customers of the the CI/CD DevOps platform need to update their protected data — ranging from tokens and keys of all sorts — stat, the company said in its Jan. 4 announcement and regular, subsequent updates.
However, the company assured its users it is still safe to build applications with CircleCI.
Besides sharing tools to help teams track down all of the potentially impacted secrets, CircleCI announced it is also working with AWS to notify those to have possible breached tokens. The company proactively updated GitHub and Bitbucket 0Auth tokens as well, CircleCI said. reported.
CircleCI also warned customers of a credential harvesting scam circulating, trying to get victims to enter their GitHub logins with a bogus Terms of Service update.
CircleCI Security Incident Fallout
Following the notification of the CircleCI security incident, researchers at Datadog discovered that a RPM GNU Privacy Guard (GPG) private signing key and its password were also vulnerable. Although the Datadog team found no evidence of exploitation, they have updated their RPM keys. The team also recommended key updates for those operating an RPM-based Linux distribution in which the system trusts the affected GPG key.
“The signing key, if actually leaked, could be used to construct an RPM package that looks like it’s from Datadog, but it would not be enough to place such a package in our official package repositories,” the alert from Datadog explained. “A hypothetical attacker with the affected key would need to be able upload the constructed RPM package to a repository used by the system.”