Potential Credential Leaks in Build Logs from AWS, Google, and Azure CLI Tools

Recent cybersecurity research has unveiled a critical vulnerability in command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud, risking the exposure of sensitive credentials within build logs. Titled LeakyCLI by the cloud security firm Orca, this vulnerability draws attention to how certain commands can inadvertently disclose sensitive data when processed through Continuous Integration and Continuous Deployment (CI/CD) systems.

Security researcher Roi Nisimi highlighted in a report shared with The Hacker News that commands from services such as Azure CLI, AWS CLI, and Google Cloud CLI can reveal environment variables containing sensitive information. These variables can then be harvested by malicious actors if they are logged by CI/CD platforms like GitHub Actions.

In response to the vulnerability, Microsoft released a security patch in November 2023, assigning the issue the CVE identifier CVE-2023-36052, which carries a CVSS score of 8.6. This contrasted with responses from Amazon and Google, which regard such exposures as expected behavior, placing the onus on organizations to implement proper security practices, such as utilizing dedicated secrets management services like AWS Secrets Manager or Google Cloud Secret Manager.

Orca’s findings indicate that numerous projects on GitHub have mistakenly exposed access tokens and other confidential information through their CI/CD logs. The vulnerability is largely attributed to specific commands within the AWS and Google Cloud ecosystems that can display predefined environment variables directly in build logs, thus compromising security. Various commands, including those for managing AWS Lambda and deploying Google Cloud functions, are particularly susceptible.

The potential implications are significant. If adversaries gain access to these logged environment variables, they could uncover sensitive credentials like passwords, usernames, and access keys, granting them unauthorized access to organizational resources. Nisimi warned that while CLI commands are generally assumed to operate in secure environments, their integration with CI/CD pipelines creates notable security risks.

To mitigate exposure, Google suggests the use of the “–no-user-output-enabled” option to prevent command outputs from being recorded in logs, further underscoring the importance of vigilance in safeguarding sensitive data within the development lifecycle. Organizations are urged to rethink their approach to environment variables and adopt best practices to avoid storing secrets in easily accessible places.

From a tactical standpoint, this vulnerability aligns with several pertinent MITRE ATT&CK techniques, particularly in the realms of initial access and credential dumping. As attackers may exploit these weaknesses to gain unauthorized system access, organizations must take proactive measures to bolster their defenses against potential exploitation.

Given the rising tide of cyber threats, the call for rigorous security protocols surrounding cloud tools has never been more urgent. Business leaders and tech professionals must remain vigilant and informed about the latest vulnerabilities and security practices to protect their organizations from emerging risks.

Source link

Help Prevent Exploitation, Report Breaches

Sector alert bulletin

Help Prevent Exploitation, Report Breaches

Sector alert bulletin

Related Posts

Cisco Issues Alert on Worldwide Rise in Brute-Force Attacks Against VPN and SSH Services

Hackers Target Fortinet Vulnerability, Deploy ScreenConnect and Metasploit in Latest Campaign

Atlassian Vulnerability Exploited to Launch Linux Version of Cerber Ransomware

Palo Alto Networks Reveals Additional Information on Critical PAN-OS Vulnerability Under Attack