TL;DR - Recent research has uncovered a significant vulnerability in the CLI tools of AWS, Google Cloud, and Azure, where sensitive credentials can be exposed in build logs. This issue, known as LeakyCLI, arises when certain CLI commands output environment variables containing sensitive data into CI/CD logs, making them accessible to potential attackers. Microsoft has addressed this with a security update, while AWS and Google advise not storing secrets in environment variables and recommend using specialized secret management services.
A recent discovery has highlighted a critical security concern involving command-line interface (CLI) tools used by major cloud services such as Amazon Web Services (AWS), Google Cloud, and Azure. These tools, essential for many operational tasks in cloud environments, have been found to potentially expose sensitive credentials in build logs.
Understanding the Vulnerability
The issue lies in how certain CLI commands output environment variables that can include sensitive information. If these logs are not properly secured or are inadvertently exposed, they can provide attackers with easy access to confidential data. The vulnerability affects a range of commands across AWS and Google Cloud, including:
aws lambda get-function-configuration
gcloud functions deploy <func> --set-env-vars
Microsoft has addressed this vulnerability in their November 2023 security updates with a high severity rating, but the risks remain for users of other cloud platforms.
Mitigation Strategies
While Microsoft has patched this issue, AWS and Google have pointed out that the exposure of credentials through environment variables should be expected. They emphasize the importance of not storing sensitive information in environment variables. Instead, they recommend using services designed for secure secret storage, such as AWS Secrets Manager and Google Cloud Secret Manager.
Impact on Organizations
The inadvertent exposure of environment variables can lead to significant security breaches. This vulnerability underscores the potential dangers of misconfigured CI/CD pipelines and the importance of adhering to best practices in security.
Is your organization's CI/CD pipeline secure? Contact us to assess your systems and enhance your security posture against credential leaks and other vulnerabilities.
Best Practices for Secure CLI Use in DevOps
To mitigate risks associated with CLI tools in CI/CD pipelines, organizations should:
- Avoid storing sensitive credentials in environment variables.
- Implement strict access controls and logging to monitor the access and usage of CLI tools.
- Regularly update and patch all tools to incorporate the latest security features and fixes.
As cloud environments become more integrated with CI/CD pipelines, the security of CLI tools is paramount. Organizations must take proactive steps to secure their tools and protect their infrastructure from potential threats.