Close Menu
    Cyber Security

    AWS, Google, and Azure CLI tools may leak credentials in build logs

    techempireBy 1 Comment2 Mins Read

    ReportApril 16, 2024Editorial DepartmentCloud Security/DevSecOps

    Credentials in the build log

    New cybersecurity research has found that command line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud could expose sensitive credentials in build logs, posing significant risks to organizations.

    The vulnerability is codenamed Leaked CLI Provided by cloud security company Orca.

    Security researcher Roi Nisimi said in a shared report: “Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be exploited when published through tools such as GitHub Actions Collected by.

    Microsoft has since addressed the issue in a security update released in November 2023 and assigned it CVE identification code CVE-2023-36052 (CVSS score: 8.6).

    Internet security

    In a nutshell, the idea is related to how CLI commands can be used to display (pre-)defined environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs. List of such commands across AWS and Google Cloud is below 0

    • aws lambda gets function configuration
    • aws lambda get function
    • aws lambda update function configuration
    • aws lambda update function code
    • aws lambda release version
    • gcloud function deployment –set-env-vars
    • gcloud function deployment –update-env-vars
    • gcloud function deployment –remove-env-vars

    Orca said it discovered multiple projects on GitHub that inadvertently exposed access tokens and other sensitive data through Github Actions, CircleCI, TravisCI and Cloud Build logs.

    Credentials in the build log
    Credentials in the build log

    However, unlike Microsoft, both Amazon and Google consider this to be expected behavior, requiring organizations to take steps to avoid storing secrets in environment variables and instead use a dedicated secrets storage service such as AWS Secrets Manager or Google Cloud Secret Manager.

    Internet security

    Google also recommends using the “–no-user-output-enabled” option to disable printing of command output to the terminal’s standard output and standard error.

    “If a bad actor gets hold of these environment variables, this could lead to the viewing of sensitive information, including credentials such as passwords, usernames, and keys, which could allow them to access any resources that the repository owner has access to,” Nisimi said.

    “By default, CLI commands are assumed to run in a secure environment, but combined with CI/CD pipelines, they can pose a security threat.”

    Did you find this article interesting?follow us Twitter and LinkedIn to read more exclusive content from us.



    Source link

    Share.

    Related Posts

    1 Comment

    1. Pingback: AWS, Google, and Azure CLI tools may leak credentials in build logs – Tech Empire Solutions

    Leave A Reply