AWS and Google Cloud CLI Vulnerabilities

Recent findings in cybersecurity research reveal that Command-Line Interface (CLI) tools, particularly those provided by Amazon Web Services (AWS) and Google Cloud, may inadvertently expose sensitive credentials within build logs. This vulnerability, which has been termed LeakyCLI by the cloud security firm Orca, poses significant risks to organizations by potentially leaking critical access information through automation tools used in software development.

The issue centers around how certain CLI commands display environment variables that may contain sensitive data such as passwords, API keys, and access tokens. During the processes of Continuous Integration and Continuous Deployment (CI/CD), which are commonly automated through platforms like GitHub Actions, CircleCI, and Cloud Build, these commands can output sensitive information directly into publicly accessible logs.

This vulnerability was identified across multiple CLI tools including Azure CLI, AWS CLI, and Google Cloud CLI. However, while Microsoft has responded to the vulnerability by updating Azure CLI and addressing it under CVE-2023-36052 with a CVSS score of 8.6, Amazon and Google have categorized this as an expected behavior, noting that the security of CLI environments falls under organizational responsibility.

The specific commands found to be at risk include various AWS Lambda functions and Google Cloud functions commands, which, if executed within CI/CD scripts, can lead to the unintended exposure of sensitive environment variables. Here is a list of some of these commands:

• AWS CLI:

  • aws lambda get-function-configuration

  • aws lambda get-function

  • aws lambda update-function-configuration

  • aws lambda update-function-code

  • aws lambda publish-version

• Google Cloud CLI:

  • gcloud functions deploy <func> --set-env-vars

  • gcloud functions deploy <func> --update-env-vars

  • gcloud functions deploy <func> --remove-env-vars

Orca’s research uncovered several instances where projects inadvertently leaked sensitive data via GitHub Actions, demonstrating how widespread and easily exploitable this vulnerability can be.

Who is at Risk?

Organizations that use these CLI tools within their CI/CD pipelines are at potential risk, especially if they handle sensitive information that could give attackers access to internal systems or data. This includes tech companies, enterprises using cloud services for operations or software development, and any entity relying on automated cloud interactions that might include sensitive configurations.

Mitigating the Risk

To mitigate these risks, organizations are advised to follow several best practices:

1. Use Dedicated Secret Management Services: Rather than storing sensitive information in environment variables, use services designed to manage secrets securely. AWS Secrets Manager and Google Cloud Secret Manager are two such services that provide mechanisms to store and access secrets securely without exposing them in logs.

2. Suppress Sensitive Output: For Google Cloud users, employing the --no-user-output-enabled option can suppress the printing of command output to the terminal, reducing the risk of leaking sensitive information through console logs.

3. Environment Hardening: Ensure that CLI commands are executed in secure environments. This involves configuring access controls and security settings to limit who can execute commands and under what conditions.

4. Regular Audits and Monitoring: Implement monitoring tools to detect unusual access patterns or unauthorized attempts to access secrets. Regular audits of CI/CD pipelines and associated scripts can help identify and rectify potential vulnerabilities.

5. Education and Awareness: Train developers and IT staff on the risks associated with handling sensitive information within CI/CD environments. Promote security best practices and ensure that personnel are aware of how to securely configure and use cloud and automation tools.

By understanding the threat landscape and implementing these mitigation strategies, organizations can significantly reduce their vulnerability to attacks exploiting the LeakyCLI issue and enhance their overall cybersecurity posture. Ensuring that CLI tools and environments are secure is not just a technical necessity but a critical component of maintaining trust and integrity within digital operations.