New cybersecurity research has found that command line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud could expose sensitive credentials in build logs, posing significant risks to organizations.
The vulnerability is codenamed Leaked CLI Provided by cloud security company Orca.
Security researcher Roi Nisimi said in a shared report: “Some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be exploited when published through tools such as GitHub Actions Collected by.
Microsoft has since addressed the issue in a security update released in November 2023 and assigned it CVE identification code CVE-2023-36052 (CVSS score: 8.6).
In a nutshell, the idea is related to how CLI commands can be used to display (pre-)defined environment variables and output to Continuous Integration and Continuous Deployment (CI/CD) logs. List of such commands across AWS and Google Cloud is below 0
- aws lambda gets function configuration
- aws lambda get function
- aws lambda update function configuration
- aws lambda update function code
- aws lambda release version
- gcloud function deployment
–set-env-vars - gcloud function deployment
–update-env-vars - gcloud function deployment
–remove-env-vars
Orca said it discovered multiple projects on GitHub that inadvertently exposed access tokens and other sensitive data through Github Actions, CircleCI, TravisCI and Cloud Build logs.
However, unlike Microsoft, both Amazon and Google consider this to be expected behavior, requiring organizations to take steps to avoid storing secrets in environment variables and instead use a dedicated secrets storage service such as AWS Secrets Manager or Google Cloud Secret Manager.
Google also recommends using the “–no-user-output-enabled” option to disable printing of command output to the terminal’s standard output and standard error.
“If a bad actor gets hold of these environment variables, this could lead to the viewing of sensitive information, including credentials such as passwords, usernames, and keys, which could allow them to access any resources that the repository owner has access to,” Nisimi said.
“By default, CLI commands are assumed to run in a secure environment, but combined with CI/CD pipelines, they can pose a security threat.”
