According to a recent cybersecurity study, sensitive Credential Leaks may be exposed in build logs by using command-line interface (CLI) tools from Google Cloud and Amazon Web Services (AWS), which puts enterprises in serious danger.
The cloud security company Orca has termed this vulnerability LeakyCLI.
Security researcher Roi Nisimi stated in a report shared with The Hacker News that “some commands on Azure CLI, AWS CLI, and Google Cloud CLI can expose sensitive information in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions.”
Microsoft subsequently resolved the problem and gave it the CVE identification CVE-2023-36052 (CVSS score: 8.6) as part of security upgrades that were made available in November 2023.
In summary, the concept involves utilizing CLI commands to display pre-defined environment variables and generate logs for Continuous Integration and Continuous Deployment (CI/CD). Below is a list of these commands for both Google Cloud and AWS.
- Get-function-configuration aws lambda
- Lambda get-function for AWS
- Update-function-configuration and Update-function-code for Amazon Lambda
- Lambda publish version for AWS
- Functions in gcloud deploy –set-env-vars deploy \func> gcloud functions –update-env-vars deploy gcloud functions –delete-environment-vars
Orca reported that it discovered multiple GitHub projects that unintentionally exposed sensitive information, including access tokens, through the use of GitHub Actions, CircleCI, TravisCI, and Cloud Build logs.
However, unlike Microsoft, Amazon and Google view this as anticipated behavior and mandate that businesses take precautions to avoid storing secrets in environment variables and instead make use of specialized secrets store services such as Google Cloud Secret Manager or AWS Secrets Manager.
Additionally, Google suggests using the “–no-user-output-enabled” option to prevent command output from publishing to standard error and output in the terminal.
“If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including Credential Leaks, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can,” Nisimi stated.
“CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat.”
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.