CLI Tools from AWS, Google, and Azure Could Unintentionally Expose Credentials
April 16, 2024
A new cybersecurity study has discovered that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud could inadvertently reveal sensitive credentials in build logs, creating significant security risks for organizations. Orca, a cloud security company, has named this vulnerability LeakyCLI.
According to Roi Nisimi, a security researcher, 'Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions.' Microsoft has already addressed this issue in their November 2023 security updates, assigning it the CVE identifier CVE-2023-36052 (CVSS score: 8.6).
The core of the issue lies in the way CLI commands can be used to display pre-set environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs. Orca has found several projects on GitHub that accidentally leaked access tokens and other sensitive data through Github Actions, CircleCI, TravisCI, and Cloud Build logs.
However, unlike Microsoft, both Amazon and Google regard this as an expected behavior. They suggest that organizations should avoid storing secrets in environment variables and instead utilize a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager. Google also advises the use of the '--no-user-output-enabled' option to prevent the printing of command output to standard output and standard error in the terminal.
Nisimi warned, 'If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can.' He added, 'CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat.'
Related News
Latest News
- CISA Adds Critical Palo Alto Networks PAN-OS Flaw to Known Exploited Vulnerabilities Catalog
- Palo Alto Networks Addresses Actively Exploited Zero-Day Vulnerability in PAN-OS Firewalls
- BatBadBut Flaw: A Threat to Multiple Programming Languages on Windows
- State-Sponsored Hackers Exploit Palo Alto Networks Zero-Day Since March to Infiltrate Firewalls
- Palo Alto Networks Alert: Active Exploitation of Zero-Day Vulnerability in PAN-OS Firewall
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.