Atlassian Bitbucket artifacts can leak plaintext auth secrets and techniques

Risk actors have been discovered breaching AWS accounts utilizing authentication secrets and techniques leaked as plaintext in Atlassian Bitbucket artifact objects.

The problem was found by Mandiant, who was investigating a latest publicity of Amazon Net Providers (AWS) secrets and techniques that risk actors used to achieve entry to AWS.

Though the difficulty was found within the context of an investigation, it illustrates how information beforehand regarded as secured, can be leaked in plaintext to public repositories.

BitBucket’s secured variables

Bitbucket is a Git-compatible web-based model management repository and internet hosting service run by Atlassian, providing builders a code administration and collaboration platform.

Bitbucket Pipelines is an built-in steady supply/deployment (CI/CD) service that automates the construct, check, and deployment processes.

System admins typically hyperlink Pipelines on to AWS for fast deployment of apps and to entry sources utilizing AWS CLI, SDKs, and different AWS instruments.

To facilitate this automation, Bitbucket permits builders to retailer delicate info, comparable to AWS authentication secrets and techniques, in ‘Secured Variables’ to simply use these variables of their code with out exposing the keys to different folks.

Storing secured variables in Bitbucket
Storing secured variables in Bitbucket
​​​​​​​Supply: Mandiant

When a variable is ready as secured in BitBucket, they are saved in encrypted type to forestall public publicity of its values within the Bitbucket setting.

“You can secure a variable, which means it can be used in your scripts but its value will be hidden in the build logs (see example below),” explains the Bitbucket documentation.

“If you want to edit a secure variable, you can only give it a new value or delete it.  Secure variables are stored as encrypted values.”

Nevertheless, Mandiant found that artifact objects generated throughout pipeline runs can comprise delicate info, together with secured variables in plaintext. As builders might not bear in mind that these secrets and techniques are uncovered in artifact recordsdata, the supply code could also be printed to public repositories the place risk actors can steal them.

Secrets and techniques in plaintext

Artifacts are outlined within the bitbucket-pipelines.yml config file used to specify a Bitbucket mission’s CI/CD processes.

One of many directives in these recordsdata is artifacts:, which are used to specify variables, recordsdata, and directories which are exported to artifact objects to be retained and utilized in additional steps of the construct and testing course of.

Mandiant says that it is not uncommon for builders to make use of the printenv command to retailer all setting recordsdata in a textual content file, which is then handed to an artifact object for future steps within the construct course of.

Exporting all environment variables to an artifact object
Exporting all setting variables to an artifact object
Supply: Mandiant

Nevertheless, doing so will trigger “secured variables” to be exported in plaintext to the artifact file fairly than in its encrypted type.

If these artifact recordsdata are then saved in a public location, a risk actor can merely open the textual content file and consider all variables in plaintext, simply stealing authentication secrets and techniques that can be utilized to steal information or carry out different malicious exercise.

Text file exposing secrets in plain text
Textual content file exposing secrets and techniques in plain textual content
Supply: Mandiant

“Mandiant has seen instances in which development teams used Bitbucket artifacts in web application source code for troubleshooting purposes, but, unbeknownst to the development teams, those artifacts contained plain text values of secret keys,” reads the report.

“This resulted in secret keys being exposed to the public internet where they were located and subsequently leveraged by attackers to gain unauthorized access.”

One other chance in response to Mandiant is misconfiguring the ‘bitbucket-pipelines.yml’ file which defines the CI/CD pipeline, to incorporate secured variables in logs or artifacts.

When pipeline scripts log setting variables for debugging functions, they will unintentionally log delicate info, and since these logs are sometimes saved in accessible areas, there’s once more a danger of secret publicity.

Mitigation ideas

Mandiant reminds builders that Bitbucket was not designed to handle secrets and techniques, suggesting {that a} devoted, specialised product is used for that goal as an alternative.

Builders are additionally beneficial to fastidiously evaluation artifacts to make sure no plain textual content secrets and techniques are contained contained in the generated recordsdata.

Lastly, it’s advisable to deploy code scanning over the entire pipeline lifecycle to catch secret publicity occasions and take away them previous to the code reaching manufacturing.

Recent articles