wtss
← All disclosures

HashiCorp GPG Key Exposure

HashiCorp · Published 2023-04-22 · Incident: 2024-10-01

View original →

The usual suspects

Click any phrase to see how often it appears across disclosures

no evidence that/of×6no wrongdoing×2engaged leading cybersecurity expertsout of an abundance of cautionwe take security seriouslydark web monitoringmalicious actors×2
<style> html { overflow-y: revert !important; } #d-splash { display: none; } </style> <header> <a href="/">HashiCorp Discuss</a> </header> <div id="main-outlet" class="wrap" role="main"> <!-- preload-content: --> <div id="topic-title"> <h1> <a href="/t/hcsec-2023-01-hashicorp-response-to-circleci-security-alert/48842">HCSEC-2023-01 - HashiCorp Response to CircleCI Security Alert</a> </h1> <div class="topic-category" itemscope itemtype="http://schema.org/BreadcrumbList"> <span itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"> <a href="/c/security/52" class="badge-wrapper bullet" itemprop="item"> <span class='badge-category-bg' style='background-color: #0088CC'></span> <span class='badge-category clear-badge'> <span class='category-name' itemprop='name'>Security</span> </span> </a> <meta itemprop="position" content="1" /> </span> </div> </div> <div itemscope itemtype='http://schema.org/DiscussionForumPosting'> <meta itemprop='headline' content='HCSEC-2023-01 - HashiCorp Response to CircleCI Security Alert'> <link itemprop='url' href='https://discuss.hashicorp.com/t/hcsec-2023-01-hashicorp-response-to-circleci-security-alert/48842'> <meta itemprop='datePublished' content='2023-01-11T16:52:05Z'> <meta itemprop='articleSection' content='Security'> <meta itemprop='keywords' content=''> <div itemprop='publisher' itemscope itemtype="http://schema.org/Organization"> <meta itemprop='name' content='HashiCorp'> <div itemprop='logo' itemscope itemtype="http://schema.org/ImageObject"> <meta itemprop='url' content='https://global.discourse-cdn.com/hashicorp/original/3X/5/c/5cdcd535aa3285da7087e6afc19a95e7bec59fc9.svg'> </div> </div> <div id='post_1' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.hashicorp.com/u/wbengtson'><span itemprop='name'>wbengtson</span></a> </span> <link itemprop="mainEntityOfPage" href="https://discuss.hashicorp.com/t/hcsec-2023-01-hashicorp-response-to-circleci-security-alert/48842"> <span class="crawler-post-infos"> <time datetime='2023-01-11T16:52:05Z' class='post-time'> January 11, 2023, 4:52pm </time> <meta itemprop='dateModified' content='2023-01-11T16:52:05Z'> <span itemprop='position'>1</span> </span> </div> <div class='post' itemprop='text'> <p><strong>Bulletin ID</strong>: HCSEC-2023-01<br> <strong>Publication Date</strong>: January 11, 2023</p> <p><strong>Summary</strong></p> <p>CircleCI Security Alert</p> <p>On January 4, 2023, CircleCI published a <a href="https://circleci.com/blog/january-4-2023-security-alert/">security alert</a> in which they recommended that their customers immediately rotate any and all secrets stored in CircleCI.</p> <p>HashiCorp uses CircleCI in a subset of code repositories and as a result, HashiCorp is proactively rotating secrets stored in HashiCorp’s CircleCI instance and checking all artifacts where CircleCI is used. Our current investigations have found no indication of unauthorized access or activity to HashiCorp products and services. We are monitoring guidance and updates from CircleCI and other security vendors for updates and will update this response as needed.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> <div class='crawler-linkback-list'> <div> <a href="https://discuss.hashicorp.com/t/hashicorp-package-repos-and-cloud-init/59436/2">Hashicorp package repos and cloud-init</a> </div> </div> </div> <div id='post_2' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.hashicorp.com/u/wbengtson'><span itemprop='name'>wbengtson</span></a> </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2023-01-19T00:26:51Z' class='post-time'> January 19, 2023, 12:26am </time> <meta itemprop='dateModified' content='2023-01-19T00:26:51Z'> <span itemprop='position'>2</span> </span> </div> <div class='post' itemprop='text'> <p>HashiCorp has finished analysis of the subset of repositories that were integrated with CircleCI and have created and executed a proactive secrets rotation plan starting from the time CircleCI notified customers of their security incident. We have not identified any unauthorized access or modification to HashiCorp systems and software over the time period in question, but continue to monitor them.</p> <p>We are taking a very conservative approach and rotated any secret that was stored in or connected to CircleCI. This includes proactive rotation of the following signing keys HashiCorp uses to sign/notarize packages and/or package metadata for customers to be able to verify the packages can be trusted:</p> <ul> <li>Linux Packaging GPG Key <ul> <li>Rotation scheduled on 1/23/2023</li> <li>Revocation scheduled on 4/24/2023</li> </ul> </li> <li>Windows Code Signing Key <ul> <li>Revoked on 1/5/2023</li> <li>New key acquired since the old key was expiring 1/20/2023</li> </ul> </li> <li>Apple Notarization Developer Certificate <ul> <li>Rotation scheduled on 1/23/2023</li> <li>Revocation scheduled on 4/24/2023</li> </ul> </li> </ul> <p><strong>Frequently Asked Questions</strong></p> <p><strong>Has any HashiCorp customer data been disclosed?</strong></p> <p>There is no evidence of HashiCorp customer data disclosure at this point in time.</p> <p><strong>Was HashiCorp source code and/or binaries maliciously modified?</strong></p> <p>There is no evidence of malicious modification to HashiCorp code or binaries at this point in time.</p> <p><strong>What happens when the keys mentioned above are revoked?</strong></p> <p><em>Linux Packaging GPG Key</em> - Linux systems that have trusted the revoked key will not be able to install the Linux packages (.deb or .rpm). Users will need to trust the new key found under the Linux Packaging section of our Security page here: <a href="https://www.hashicorp.com/security" class="inline-onebox">Security at HashiCorp</a>.</p> <p><em>Windows Code Signing Key</em> - Windows binaries and installers signed with the revoked signing key will continue to work due to HashiCorp utilizing the secure signing timestamp option when signing the binaries/installers. This allows Windows to know when the signature happened and verify against the revocation timestamp. All new Windows binaries and installers will be signed with the new HashiCorp code signing key moving forward.</p> <p><em>Apple Notarization Developer Certificate</em> - Once we proactively revoke our Apple Developer Certificate, all HashiCorp software built for Apple devices and signed by this certificate will stop working on the next execution. Due to this, we are waiting 90 days to revoke the key to allow users to download the newly signed binaries from our trusted release channel <a href="https://releases.hashicorp.com">https://releases.hashicorp.com</a>.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> <div class='crawler-linkback-list'> <div> <a href="https://discuss.hashicorp.com/t/resolved-debian-repo-apt-update-fails-new-gpg-keys/49218">[Resolved] Debian Repo - Apt Update Fails, New GPG Keys</a> </div> <div> <a href="https://discuss.hashicorp.com/t/resolved-debian-repo-apt-update-fails-new-gpg-keys/49218/17">[Resolved] Debian Repo - Apt Update Fails, New GPG Keys</a> </div> </div> </div> <div id='post_3' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.hashicorp.com/u/wbengtson'><span itemprop='name'>wbengtson</span></a> </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2023-01-31T21:56:31Z' class='post-time'> January 31, 2023, 9:56pm </time> <meta itemprop='dateModified' content='2023-01-31T21:56:31Z'> <span itemprop='position'>3</span> </span> </div> <div class='post' itemprop='text'> <p>Initial response and investigation activities associated with this event have been completed. The proactive key rotation noted above has completed successfully and packages have been re-signed with the new keys.</p> <p>There was no evidence of HashiCorp customer data disclosure and no evidence of malicious modification to HashiCorp source code or binaries. HashiCorp will continue to monitor public channels for indication of misuse until the revocation of keys on April 24, 2023. If we suspect any indication of misuse, we will revoke the keys at that time, ahead of April 24, 2023.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> </div> <div id='post_4' itemprop='comment' itemscope itemtype='http://schema.org/Comment' class='topic-body crawler-post'> <div class='crawler-post-meta'> <span class="creator" itemprop="author" itemscope itemtype="http://schema.org/Person"> <a itemprop="url" rel='nofollow' href='https://discuss.hashicorp.com/u/jfinnigan'><span itemprop='name'>jfinnigan</span></a> </span> <span class="crawler-post-infos"> <time itemprop='datePublished' datetime='2023-04-24T21:47:47Z' class='post-time'> April 24, 2023, 9:47pm </time> <meta itemprop='dateModified' content='2023-04-24T21:47:47Z'> <span itemprop='position'>4</span> </span> </div> <div class='post' itemprop='text'> <p>The Apple developer certificate referred to in our previous update was revoked as scheduled on April 24, 2023. The Linux packaging GPG key was also revoked as scheduled. For information about possible revocation-related customer impact and remediation guidance, please see <a href="https://support.hashicorp.com/hc/en-us/articles/13177506317203">https://support.hashicorp.com/hc/en-us/articles/13177506317203</a>.</p> <p>There remains no evidence of HashiCorp customer data disclosure and no evidence of malicious modification to HashiCorp source code or binaries as a result of this security alert.</p> </div> <div itemprop="interactionStatistic" itemscope itemtype="http://schema.org/InteractionCounter"> <meta itemprop="interactionType" content="http://schema.org/LikeAction"/> <meta itemprop="userInteractionCount" content="0" /> <span class='post-likes'></span> </div> <div class='crawler-linkback-list'> <div> <a href="https://discuss.hashicorp.com/t/terraform-0-13-5-being-flagged-as-malicious-on-macos/53096/2">Terraform 0.13.5 being flagged as malicious on macOS</a> </div> <div> <a href="https://discuss.hashicorp.com/t/terraform-will-damage-your-computer/53514/2">&quot;terraform&quot; will damage your computer</a> </div> </div> </div> </div> <div id="related-topics" class="more-topics__list " role="complementary" aria-labelledby="related-topics-title"> <h3 id="related-topics-title" class="more-topics__list-title"> Related topics </h3> <div class="topic-list-container" itemscope itemtype='http://schema.org/ItemList'> <meta itemprop='itemListOrder' content='http://schema.org/ItemListOrderDescending'> <table class='topic-list'> <thead> <tr> <th>Topic</th> <th></th> <th class="replies">Replies</th> <th class="views">Views</th> <th>Activity</th> </tr> </thead> <tbody> <tr class="topic-list-item" id="topic-list-item-23512"> <td class="main-link" itemprop='itemListElement' itemscope itemtype='http://schema.org/ListItem'> <meta itemprop='position' content='1'> <span class="link-top-line"> <a itemprop='url' href='https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512' class='title raw-link raw-topic-link'>HCSEC-2021-12 - Codecov Security Event and HashiCorp GPG Key Exposure</a> </span> <div class="link-bottom-line"> <a href='/c/security/52' class='badge-wrapper bullet'> <span class='badge-category-bg' style='background-color: #0088CC'></span> <span class='badge-category clear-badge'> <span class='category-name'>Security</span> </span> </a> <div class="discourse-tags"> <a href='https://discuss.hashicorp.com/tag/security-nomad/73' class='discourse-tag'>security-nomad</a> ,&nbsp; <a href='https://discuss.hashicorp.com/tag/security-consul/74' class='discourse-tag'>security-consul</a> ,&nbsp; <a href='https://discuss.hashicorp.com/tag/security-vault/75' class='discourse-tag'>security-vault</a> ,&nbsp; <a href='https://discuss.hashicorp.com/tag/security-terraform/76' class='discourse-tag'>security-terraform</a> </div> </div> </td> <td class="replies"> <span class='posts' title='posts'>2</span> </td> <td class="views"> <span class='views' title='views'>67139</span> </td> <td> May 4, 2021 </td> </tr> <tr class="topic-list-item" id="topic-list-item-38460"> <td class="main-link" itemprop='itemListElement' itemscope itemtype='http://schema.org/ListItem'> <meta itemprop='position' content='2'> <span class="link-top-line"> <a itemprop='url' href='https://discuss.hashicorp.com/t/hcsec-2022-11-hashicorp-gpg-signing-subkey-change/38460' class='title raw-link raw-topic-link'>HCSEC-2022-11 - HashiCorp GPG Signing Subkey Change</a> </span> <div class="link-bottom-line"> <a href='/c/security/52' class='badge-wrapper bullet'> <span class='badge-category-bg' style='background-color: #0088CC'></span> <span class='badge-category clear-badge'> <span class='category-name'>Security</span> </span> </a> <div class="discourse-tags"> </div> </div> </td> <td class="replies"> <span class='posts' title='posts'>0</span> </td> <td class="views"> <span class='views' title='views'>4489</span> </td> <td> April 18, 2022 </td> </tr> <tr class="topic-list-item" id="topic-list-item-59436"> <td class="main-link" itemprop='itemListElement' itemscope itemtype='http://schema.org/ListItem'> <meta itemprop='position' content='3'> <span class="link-top-line"> <a itemprop='url' href='https://discuss.hashicorp.com/t/hashicorp-package-repos-and-cloud-init/59436' class='title raw-link raw-topic-link'>Hashicorp package repos and cloud-init</a> </span> <div class="link-bottom-line"> <a href='/c/terraform-core/27' class='badge-wrapper bullet'> <span class='badge-category-bg' style='background-color: #0088CC'></span> <span class='badge-category clear-badge'> <span class='category-name'>Terraform</span> </span> </a> <div class="discourse-tags"> </div> </div> </td> <td class="replies"> <span class='posts' title='posts'>3</span> </td> <td class="views"> <span class='views' title='views'>929</span> </td> <td> October 25, 2023 </td> </tr> <tr class="topic-list-item" id="topic-list-item-46192"> <td class="main-link" itemprop='itemListElement' itemscope itemtype='http://schema.org/ListItem'> <meta itemprop='position' content='4'> <span class="link-top-line"> <a itemprop='url' href='https://discuss.hashicorp.com/t/hcsec-2022-27-hashicorp-response-to-openssl-security-announcement-regarding-november-1-release/46192' class='title raw-link raw-topic-link'>HCSEC-2022-27 - HashiCorp Response to OpenSSL Security Announcement Regarding November 1 Release</a> </span> <div class="link-bottom-line"> <a href='/c/security/52' class='badge-wrapper bullet'> <span class='badge-category-bg' style='background-color: #0088CC'></span> <span class='badge-category clear-badge'> <span class='category-name'>Security</span> </span> </a> <div class="discourse-tags"> </div> </div> </td> <td class="replies"> <span class='posts' title='posts'>2</span> </td> <td class="views"> <span class='views' title='views'>5386</span> </td> <td> November 1, 2022 </td> </tr> <tr class="topic-list-item" id="topic-list-item-15330"> <td class="main-link" itemprop='itemListElement' itemscope itemtype='http://schema.org/ListItem'> <meta itemprop='position' content='5'> <span class="link-top-line"> <a itemprop='url' href='https://discuss.hashicorp.com/t/about-hashicorp-security-updates/15330' class='title raw-link raw-topic-link'>About HashiCorp security updates</a> </span> <div class="link-bottom-line"> <a href='/c/security/52' class='badge-wrapper bullet'> <span class='badge-category-bg' style='background-color: #0088CC'></span> <span class='badge-category clear-badge'> <span class='category-name'>Security</span> </span> </a> <div class="discourse-tags"> </div> </div> </td> <td class="replies"> <span class='posts' title='posts'>0</span> </td> <td class="views"> <span class='views' title='views'>12971</span> </td> <td> October 8, 2020 </td> </tr> </tbody> </table> </div> </div> <!-- :preload-content --> </div> <footer class="container wrap"> <nav class='crawler-nav'> <ul> <li itemscope itemtype='http://schema.org/SiteNavigationElement'> <span itemprop='name'> <a href='/' itemprop="url">Home </a> </span> </li> <li itemscope itemtype='http://schema.org/SiteNavigationElement'> <span itemprop='name'> <a href='/categories' itemprop="url">Categories </a> </span> </li> <li itemscope itemtype='http://schema.org/SiteNavigationElement'> <span itemprop='name'> <a href='/guidelines' itemprop="url">Guidelines </a> </span> </li> <li itemscope itemtype='http://schema.org/SiteNavigationElement'> <span itemprop='name'> <a href='/tos' itemprop="url">Terms of Service </a> </span> </li> <li itemscope itemtype='http://schema.org/SiteNavigationElement'> <span itemprop='name'> <a href='https://meta.discourse.org/privacy' itemprop="url">Privacy Policy </a> </span> </li> </ul> </nav> <p class='powered-by-link'>Powered by <a href="https://www.discourse.org">Discourse</a>, best viewed with JavaScript enabled</p> </footer>