HCSEC-2023-01 - HashiCorp Response to CircleCI Security Alert

Bulletin ID: HCSEC-2023-01
Publication Date: January 11, 2023

Summary

CircleCI Security Alert

On January 4, 2023, CircleCI published a security alert in which they recommended that their customers immediately rotate any and all secrets stored in CircleCI.

HashiCorp uses CircleCI in a subset of code repositories and as a result, HashiCorp is proactively rotating secrets stored in HashiCorp’s CircleCI instance and checking all artifacts where CircleCI is used. Our current investigations have found no indication of unauthorized access or activity to HashiCorp products and services. We are monitoring guidance and updates from CircleCI and other security vendors for updates and will update this response as needed.

HashiCorp has finished analysis of the subset of repositories that were integrated with CircleCI and have created and executed a proactive secrets rotation plan starting from the time CircleCI notified customers of their security incident. We have not identified any unauthorized access or modification to HashiCorp systems and software over the time period in question, but continue to monitor them.

We are taking a very conservative approach and rotated any secret that was stored in or connected to CircleCI. This includes proactive rotation of the following signing keys HashiCorp uses to sign/notarize packages and/or package metadata for customers to be able to verify the packages can be trusted:

  • Linux Packaging GPG Key
    • Rotation scheduled on 1/23/2023
    • Revocation scheduled on 4/24/2023
  • Windows Code Signing Key
    • Revoked on 1/5/2023
    • New key acquired since the old key was expiring 1/20/2023
  • Apple Notarization Developer Certificate
    • Rotation scheduled on 1/23/2023
    • Revocation scheduled on 4/24/2023

Frequently Asked Questions

Has any HashiCorp customer data been disclosed?

There is no evidence of HashiCorp customer data disclosure at this point in time.

Was HashiCorp source code and/or binaries maliciously modified?

There is no evidence of malicious modification to HashiCorp code or binaries at this point in time.

What happens when the keys mentioned above are revoked?

Linux Packaging GPG Key - Linux systems that have trusted the revoked key will not be able to install the Linux packages (.deb or .rpm). Users will need to trust the new key found under the Linux Packaging section of our Security page here: Security at HashiCorp.

Windows Code Signing Key - Windows binaries and installers signed with the revoked signing key will continue to work due to HashiCorp utilizing the secure signing timestamp option when signing the binaries/installers. This allows Windows to know when the signature happened and verify against the revocation timestamp. All new Windows binaries and installers will be signed with the new HashiCorp code signing key moving forward.

Apple Notarization Developer Certificate - Once we proactively revoke our Apple Developer Certificate, all HashiCorp software built for Apple devices and signed by this certificate will stop working on the next execution. Due to this, we are waiting 90 days to revoke the key to allow users to download the newly signed binaries from our trusted release channel https://releases.hashicorp.com.

Initial response and investigation activities associated with this event have been completed. The proactive key rotation noted above has completed successfully and packages have been re-signed with the new keys.

There was no evidence of HashiCorp customer data disclosure and no evidence of malicious modification to HashiCorp source code or binaries. HashiCorp will continue to monitor public channels for indication of misuse until the revocation of keys on April 24, 2023. If we suspect any indication of misuse, we will revoke the keys at that time, ahead of April 24, 2023.