HCSEC-2021-12 - Codecov Security Event and HashiCorp GPG Key Exposure

Bulletin ID: HCSEC-2021-12
Publication Date: April 22, 2021

Summary
HashiCorp was impacted by a security incident with a third party (Codecov) that led to potential disclosure of sensitive information. As a result, the GPG key used for release signing and verification has been rotated. Customers who verify HashiCorp release signatures may need to update their process to use the new key.

Codecov Security Event
On April 15, 2021, Codecov (a code coverage solution) publicly disclosed a security event during which an unauthorized party was able to make modifications to a Codecov component that Codecov customers download and execute when using the solution.

These modifications allowed the unauthorized party to potentially export information stored in Codecov users’ continuous integration (CI) environments. Codecov disclosed that the unauthorized access began on January 31, 2021, and was identified/remediated on April 1, 2021.

The Codecov disclosure is available at https://about.codecov.io/security-update/ 445.

On investigation, HashiCorp found that a subset of HashiCorp CI pipelines used the affected Codecov component.

Exposure of HashiCorp GPG Key
The GPG private key used for signing hashes used to validate HashiCorp product downloads (SHA256SUM files, as available from https://releases.hashicorp.com 262 and documented at https://hashicorp.com/security 360) was exposed.

While investigation has not revealed evidence of unauthorized usage of the exposed GPG key, it has been rotated in order to maintain a trusted signing mechanism. A new GPG keypair (fingerprint C874 011F 0AB4 0511 0D02 1055 3436 5D94 72D7 468F) has been published, and the exposed GPG keypair (fingerprint 91A6 E7F8 5D05 C656 30BE F189 5185 2D87 348F FC4C) has been revoked. Existing releases have been validated and re-signed, and updated information regarding key status and signature verification published to https://hashicorp.com/security 360.

Note that this exposure only affects HashiCorp’s SHA256SUM signing mechanism. MacOS code signing/notarization and Windows AuthentiCode signing of HashiCorp releases for those platforms were unaffected by the exposed GPG key in question. Signing for Linux packages (Debian and RPM) available from releases.hashicorp.com was also unaffected.

There is Terraform-specific context to consider. Terraform automatically downloads provider binaries during the terraform init operation and performs signature verification during this process. HashiCorp has published patch releases of Terraform and related tooling which update the automatic verification code to use the new GPG key, and provided separate Terraform-specific guidance 335.

Exposure of Other Information
HashiCorp has performed additional remediations related to information potentially exposed during this incident. Incident response activities are ongoing, and relevant updates and outcomes will be shared promptly when available via https://discuss.hashicorp.com/c/security 192.

HashiCorp Customer Impact
In general, customers should ensure that they download HashiCorp products only from the official release channel accessible directly at https://releases.hashicorp.com 262 or linked from HashiCorp web properties.

In customer environments where HashiCorp product downloads are manually or automatically validated using the SHA256SUM files and associated signatures 153, process or configuration updates may be necessary to reflect the change in HashiCorp’s GPG key.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security 360.