Security researchers have discovered a new vulnerability affecting command-line tools used in cloud environments.
Dubbed “LeakyCLI” by the Orca Security team, the flaw exposes sensitive credentials in logs, posing potential risks to organizations utilizing AWS and Google Cloud platforms.
The issue mirrors a previously identified vulnerability in Azure CLI (CVE-2023-36052, with a CVSS score of 8.6), which Microsoft addressed last November. Despite Microsoft’s fix, AWS and Google Cloud CLI remain susceptible to the same flaw.
The vulnerability arises from specific commands within these CLIs inadvertently exposing environment variables containing sensitive information.
Adversaries could exploit this exposure, potentially gaining access to critical credentials such as passwords and keys, thereby compromising resources within affected repositories. This risk is particularly pronounced in Continuous Integration and Continuous Deployment (CI/CD) pipelines.
“CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat,” reads an advisory published by Orca today.
“This bypasses secret labeling, which aims to block sensitive exposure because the credentials that are printed back to stdout [the default stream where a program writes its output data] were never defined by the user during the automation setup.”
Orca promptly notified both Google and AWS upon discovery, yet both companies said they consider this behavior within expected design parameters. To mitigate the risk, Orca said organizations should refrain from storing secrets in environment variables, and instead retrieve them from dedicated secrets store services like AWS Secrets Manager.
By following proper protocols, organizations can safeguard against potential exploitation of vulnerabilities like LeakyCLI, thus ensuring the integrity and security of their cloud infrastructures.
Read more on cloud security here: NSA Launches Top 10 Cloud Security Mitigation Strategies
Image credit: nikkimeel / Shutterstock.com