AWS, Google, and Azure CLI Instruments May Leak Credentials in Construct Logs

Apr 16, 2024NewsroomCloud Safety / DevSecOps

New cybersecurity analysis has discovered that command-line interface (CLI) instruments from Amazon Net Providers (AWS) and Google Cloud can expose delicate credentials in construct logs, posing vital dangers to organizations.

The vulnerability has been codenamed LeakyCLI by cloud safety agency Orca.

“Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions,” safety researcher Roi Nisimi said in a report shared with The Hacker Information.

Microsoft has since addressed the problem as a part of safety updates launched in November 2023, assigned it the CVE identifier CVE-2023-36052 (CVSS rating: 8.6).


The thought, in a nutshell, has to do with how the CLI instructions akin to could possibly be used to indicate (pre-)outlined surroundings variables and output to Steady Integration and Steady Deployment (CI/CD) logs. A listing of such instructions spanning AWS and Google Cloud is beneath 0

  • aws lambda get-function-configuration
  • aws lambda get-function
  • aws lambda update-function-configuration
  • aws lambda update-function-code
  • aws lambda publish-version
  • gcloud features deploy –set-env-vars
  • gcloud features deploy –update-env-vars
  • gcloud features deploy –remove-env-vars

Orca mentioned it discovered a number of tasks on GitHub that inadvertently leaked entry tokens and different delicate information by way of Github Actions, CircleCI, TravisCI, and Cloud Construct logs.

Credentials in Build Logs
Credentials in Build Logs

In contrast to Microsoft, nonetheless, each Amazon and Google take into account this to be anticipated conduct, requiring that organizations take steps to keep away from storing secrets and techniques in surroundings variables and as an alternative use a devoted secrets and techniques retailer service like AWS Secrets and techniques Supervisor or Google Cloud Secret Supervisor.


Google additionally recommends using the “–no-user-output-enabled” choice to suppress the printing of command output to straightforward output and commonplace error within the terminal.

“If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can,” Nisimi mentioned.

“CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.

Author: (The Hacker Information)
Date: 2024-04-16 09:26:00

Source link



Related articles

Alina A, Toronto
Alina A, Toronto
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.


Please enter your comment!
Please enter your name here