
New cybersecurity research has unveiled a critical vulnerability in command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud, potentially exposing sensitive credentials in build logs. Dubbed LeakyCLI by cloud security firm Orca, this vulnerability poses significant risks to organizations.
According to security researcher Roi Nisimi, certain commands on Azure CLI, AWS CLI, and Google Cloud CLI can inadvertently expose sensitive information in the form of environment variables. Adversaries can exploit this vulnerability when such data is published by tools like GitHub Actions.
Microsoft has taken steps to address the issue, issuing security updates in November 2023, and assigning it the CVE identifier CVE-2023-36052 with a CVSS score of 8.6.
The vulnerability arises from how CLI commands, such as those listed below, interact with predefined environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs:
- aws lambda get-function-configuration
- aws lambda get-function
- aws lambda update-function-configuration
- aws lambda update-function-code
- aws lambda publish-version
- gcloud functions deploy –set-env-vars
- gcloud functions deploy –update-env-vars
- gcloud functions deploy –remove-env-vars
Orca’s research revealed numerous projects on GitHub inadvertently leaking access tokens and sensitive data via platforms like Github Actions, CircleCI, TravisCI, and Cloud Build logs.
While Microsoft has addressed the issue, both Amazon and Google view this as expected behavior, emphasizing the need for organizations to avoid storing secrets in environment variables. Instead, they recommend using dedicated secrets store services like AWS Secrets Manager or Google Cloud Secret Manager.
Google additionally suggests employing the “–no-user-output-enabled” option to prevent the printing of command output to standard output and standard error in the terminal.
Roi Nisimi warns that if bad actors obtain these environment variables, they could potentially access sensitive information, including passwords, usernames, and keys, granting unauthorized access to repository resources.
This revelation underscores the importance of vigilance in securing CLI commands, particularly within CI/CD pipelines, where they may inadvertently pose a security threat.
For more exclusive cybersecurity content, follow us on Twitter and LinkedIn.
Join over 120,000 professionals and receive your daily dose of cybersecurity news, insights, and tips by signing up for our newsletter.
Stay informed and stay secure.
About Author
Mr. Ankush, a Certified Ethical Hacker (CEH) certified by EC-Council (Certification Number: ECC1805479632), is a digital forensics expert and cybercrime investigator. With a passion for unraveling complex cyber threats, he specializes in supporting legal proceedings with meticulous digital evidence analysis. Additionally, Ankush dedicates his time to volunteer work, writing articles and blogs for Elite Defender Security. Through his contributions, he aims to educate and empower others about cybersecurity best practices, furthering the mission of creating a safer digital environment for all.
Leave a Reply