Infosec Watchtower Logo

LeakyCLI: Unveiling the Risk of Exposed Credentials in AWS and Google Cloud CLI Tools

Charles M. Walls | April 16, 2024 | Views: 192

A digital cybersecurity concept art illustrating a large digital lock symbol being broken into by computer code and lines of command script.

New findings from cybersecurity experts have revealed that command-line tools from major cloud services like Amazon Web Services (AWS) and Google Cloud could inadvertently reveal sensitive credentials through build logs, presenting a substantial security threat to enterprises. This newly identified vulnerability, dubbed LeakyCLI by cybersecurity firm Orca, could allow malicious entities to access private environmental variables exposed during automated processes.

Roi Nisimi, a security researcher, highlighted in a recent report that specific commands from the Azure CLI, AWS CLI, and Google Cloud CLI might disclose private data, including environmental variables. This sensitive information could be harvested by hackers if accidentally published in tools such as GitHub Actions. "If attackers access these variables, they might gain the ability to view sensitive details like passwords, usernames, and keys," Nisimi explained, emphasizing the potential for breaches that could allow unauthorized access to various resources.

While Microsoft has proactively addressed this issue with security updates in November 2023, receiving a CVE identifier CVE-2023-36052 with a high severity rating (CVSS score: 8.6), Amazon and Google have not made similar moves. Both companies regard the behavior as expected and advise organizations to safeguard their secrets by not storing them directly in environment variables but rather in specialized services like AWS Secrets Manager or Google Cloud Secret Manager.

Google has further recommended that users employ the "--no-user-output-enabled" flag to prevent command outputs from being displayed in terminal logs, adding an extra layer of security. Despite Microsoft's remedial action, the issue of sensitive data leaks persists, with Orca uncovering multiple instances where GitHub Actions, CircleCI, TravisCI, and Cloud Build logs accidentally exposed access tokens and other critical data.

This report underscores the crucial need for companies using CLI tools in their CI/CD pipelines to ensure their operational environments are secure to prevent any potential leaks or unauthorized access to sensitive information.

Source of Inspiration