Summary
Palo Alto discovered that Azure CLI commands were found to leak sensitive credentials and environment variables in GitHub Actions logs.
This issue affects both public and private repositories, potentially exposing secrets to unauthorized parties.
The problem stems from the Azure CLI's design to echo back accessed/created/updated/deleted resource information, which can include sensitive data.
Later research by Orca Security revealed that AWS CLI and Google Cloud CLI were affected by the same issue, but AWS and GCP view this as expected behavior.
Affected Services
Azure CLI, AWS CLI, Google Cloud CLI
Remediation
Update Azure CLI to version 2.54 or later. Use Azure Key Vault for sensitive values. Store command outputs in variables or use JMESPath queries. Redirect output to /dev/null or use the "--output none" option when running Azure CLI commands in pipelines. As a general rule, avoid storing secrets in environment variables, and instead retrieve them from a dedicated secrets store service such as AWS Secrets Manager.
Tracked CVEs
CVE-2023-36052
References
https://www.paloaltonetworks.com/blog/cloud-security/secrets-leakage-user-error-azure-cli/https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36052https://orca.security/resources/blog/leakycli-aws-google-cloud-command-line-tools-can-expose-sensitive-credentials-build-logs/
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Sat, Jul 1st, 2023
Exploitablity Period
Until 2023/11/14 in Azure, ongoing in AWS and GCP
Known ITW Exploitation
-
Detection Methods
Review GitHub Actions logs for exposed credentials. Check CLI command usage in workflows for proper output handling. Use secrets scanning tools to identify potentially leaked secrets in repository history.
Piercing Index Rating
-
Discovered by
Aviad Hahami, Palo Alto Networks
