Microsoft has rectified a severe security issue in Azure CLI that risked exposing credentials in logs. This vulnerability, identified as CVE-2023-36052, could have enabled attackers to purloin credentials from logs generated by GitHub Actions or Azure DevOps using Azure CLI. The flaw was uncovered by security researchers associated with Prisma Cloud, a division of Palo Alto.
Successful exploitation of this vulnerability would have allowed unauthenticated attackers to remotely access plain text contents written by Azure CLI to Continuous Integration and Continuous Deployment (CI/CD) logs. As Microsoft explains, 'An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions.'
To safeguard against the risks posed by this vulnerability, customers using the affected CLI commands are advised to upgrade their Azure CLI version to 2.53.1 or above. This recommendation also applies to customers with log files created by using these commands through Azure DevOps and/or GitHub Actions. Microsoft has notified customers who recently used Azure CLI commands via the Azure Portal.
In a recent MSRC blog post, Microsoft urged all customers to update to the latest Azure CLI version (2.54). The company also provided a series of steps to prevent accidental exposure of secrets within CI/CD logs.
To strengthen security measures, Microsoft has implemented a new Azure CLI default configuration. This updated setting now limits the display of secrets in the output generated by update commands related to services within the App Service family, including Web Apps and Functions. However, this new default will only be available to customers who have updated to the latest Azure CLI version (2.53.1 and higher). Customers with prior versions (2.53.0 and below) remain susceptible to exploitation.
In addition, Microsoft has expanded credential redaction capabilities across GitHub Actions and Azure Pipelines. This move aims to increase the number of recognizable key patterns within build logs and obfuscate them. With this update, Microsoft-issued keys will be detected and prevented from being accidentally leaked in publicly accessible logs. 'Note that the patterns being redacted are not currently comprehensive and you may see additional variables and data masked in output and logs that are not set as secrets,' the company stated.
Microsoft continues to explore ways to optimize and extend this protection to include a robust pattern of potential secrets.