Security researchers have discovered a new vulnerability affecting command line tools used in cloud environments.
Dubbed “LeakyCLI” by the Orca security team, the flaw exposes sensitive credentials in logs, posing potential risks to organizations using AWS and Google Cloud platforms.
The issue reflects a previously identified vulnerability in Azure CLI (CVE-2023-36052, with a CVSS score of 8.6), which Microsoft has fixed. last November. Despite Microsoft’s patch, AWS and Google Cloud CLI remain susceptible to the same flaw.
The vulnerability arises from specific commands within these CLIs inadvertently exposing environment variables containing sensitive information.
Adversaries could exploit this exposure and potentially gain access to critical credentials such as passwords and keys, thereby compromising the resources of affected repositories. This risk is particularly pronounced in continuous integration and continuous deployment (CI/CD) pipelines.
“CLI commands are by default supposed to run in a secure environment, but when combined with CI/CD pipelines, they can pose a security threat,” reads an advisory. published by Orca today.
“This circumvents secret labeling, which is intended to block sensitive exposure, because the identifying information that is printed to standard output (the default stream into which a program writes its output data) has never been defined by the user when configuring automation.”
Orca quickly notified Google and AWS upon its discovery, but both companies said they considered this behavior within expected design parameters. To mitigate the risk, Orca said organizations should refrain from storing secrets in environment variables and retrieve them from dedicated secret storage services like AWS Secrets Manager.
By following appropriate protocols, organizations can guard against the potential exploitation of vulnerabilities such as LeakyCLI, ensuring the integrity and security of their cloud infrastructures.
Learn more about cloud security here: NSA Releases Top 10 Cloud Security Mitigation Strategies
Image credit: Nikkimeel / Shutterstock.com