AWS, Google, and Azure Command-Line Tools Could Leak Credentials in Build Logs

Source: https://orca.security/resources/blog/leakycli-aws-google-cloud-command-line-tools-can-expose-sensitive-credentials-build-logs/ In November last year, Microsoft fixed a severe security issue in Azure CLI that risked exposing credentials in logs. The vulnerability was identified as CVE-2023-36052 and given a CVSS score of 8.6. However, the Orca Research Pod recently discovered that the AWS and Google Cloud CLIs are exposed to the exact same vulnerability. Dubbed ‘LeakyCLI’, this is a vulnerability that can expose credentials in AWS and Google Cloud logs, which could have far reaching consequences.

Executive Summary:

  • Orca has discovered that some commands on AWS CLI and Gcloud CLI can expose sensitive information, in the form of environment variables, which can be collected by adversaries when published by tools such as GitHub Actions.
  • Microsoft faced the same issue in Azure CLI, and identified this vulnerability as CVE-2023-36052 (CVSS score of 8.6) and issued an update and recommendation.
  • If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can.
  • CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat.
  • This bypasses secret labeling, which aims to block sensitive exposure, because the credentials that are printed back to stdout were never defined by the user during the automation setup.
  • Upon discovery of the vulnerability, Orca informed both Google and AWS, who responded that they consider this to be expected behavior based on current design.
  • To prevent exposure to this AWS and Google Cloud CLI vulnerability, organizations are advised to avoid storing secrets in environment variables, and instead retrieve them from a dedicated secrets store service such as AWS Secrets Manager.

What are Azure, Gcloud and AWS CLI?

All three major cloud service providers provide command-line interfaces for interacting with their cloud platforms: Azure CLI, AWS CLI, and Gcloud CLI The CLIs are unified tools to manage cloud services, which transparently send Rest API requests via documented commands. These CLIs are most commonly used in a local private environment, like a developer’s personal computer, but they can also be used for Continuous Integration and Continuous Deployment (CI/CD) environments. A simple example of a CI/CD use case would be deploying source-code to a Lambda function every time there’s a push event to master.
name: AWS CI

on:
  push:
    branches:
      - master

jobs:
  deploy:
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2
      - name: Set up AWS CLI
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}
      - name: deploy
        run: |
          npx ncc build src/index.js
          zip -j deploy.zip ./dist/*
          aws lambda update-function-code --function-name MyFunction --zip-file fileb://deploy.zip

Exposure of Serverless environment variables

The main problem we observed was in serverless such as Azure Functions (however this issue was fixed by Microsoft as mentioned above), Google Cloud Functions and AWS Lambda.The documented APIs for these services include actions that return the configuration for these resources, including their environment variables. What I found interesting is that it is not only the get or describe commands that return the configuration (including environment variables), but also update and delete. Which carried significant misconfigurations out in the wild.

AWS CLI Leakage

aws lambda get-function-configuration
aws lambda get-function
aws lambda update-function-configuration
aws lambda update-function-code
aws lambda publish-version
In a similar way, the above commands send existing environment variables back to the stdout, even if they weren’t part of the associated command.
A screenshot of the API deployment response from Lambda
For security reasons – sensitive data is hidden

Gcloud CLI Leakage

gcloud functions deploy <func> --set-env-vars
gcloud functions deploy <func> --update-env-vars
gcloud functions deploy <func> --remove-env-vars
The above commands send the defined / predefined environment variables back to stdout. Or in the advanced scenario, back to the build logs. If the developer isn’t aware of it, even using secret masking via GitHub Actions / Cloudbuild will not do, because there may be pre-existing environment variables in the cloud function.  
Tags.
  • Development
  • E- Learning
Share On
Previous Post
DobreTech Institution and University of Buea: Empowering Innovation and Education
April 15, 2024
Next Post
Step By Step Guide To Migrate WordPress Website
April 15, 2024

Comments are off for this post.

About Author

Titus

Titus is a frequent speaker on the blogs.

Recent Posts

Categories

Dobre Technologies is a world class corporate training & IT Consulting firm that intends starting in Yaoundé, Cameroon, but hopes to grow big in order to compete favorably with leading corporate firms in the Africa and the globe.

©Copyright DobreTech 2024.