CLI Tools from AWS, Google, and Azure Could Unintentionally Expose Credentials

April 16, 2024

A new cybersecurity study has discovered that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud could inadvertently reveal sensitive credentials in build logs, creating significant security risks for organizations. Orca, a cloud security company, has named this vulnerability LeakyCLI.

According to Roi Nisimi, a security researcher, 'Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions.' Microsoft has already addressed this issue in their November 2023 security updates, assigning it the CVE identifier CVE-2023-36052 (CVSS score: 8.6).

The core of the issue lies in the way CLI commands can be used to display pre-set environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs. Orca has found several projects on GitHub that accidentally leaked access tokens and other sensitive data through Github Actions, CircleCI, TravisCI, and Cloud Build logs.

However, unlike Microsoft, both Amazon and Google regard this as an expected behavior. They suggest that organizations should avoid storing secrets in environment variables and instead utilize a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager. Google also advises the use of the '--no-user-output-enabled' option to prevent the printing of command output to standard output and standard error in the terminal.

Nisimi warned, 'If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can.' He added, 'CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.