Orca Security has identified a critical vulnerability known as LeakyCLI, affecting the command-line interfaces (CLIs) of major cloud providers such as AWS [2], Google Cloud Platform [2] [4], and Azure [1] [4] [6] [7].
Description
This vulnerability exposes sensitive credentials stored in environment variables and build logs, potentially leaking access keys and passwords [6]. While Microsoft has released a security update (CVE-2023-36052) for Azure CLI to address this issue, AWS and Google Cloud CLI remain vulnerable [4]. To mitigate this risk [2] [3] [4] [6] [7], organizations are advised to avoid storing secrets in environment variables and utilize dedicated services like AWS Secrets Manager and Google Cloud Secret Manager [3] [4] [5]. Additionally, implementing multi-factor authentication [2], granular access control [2], secure coding practices [6], restricting access to build logs [6], and conducting regular vulnerability scanning are recommended. Orca Security has informed Google and AWS about this vulnerability, and both companies have acknowledged that this behavior falls within expected design parameters.
Conclusion
It is crucial for organizations to eliminate secrets in environment variables and build logs and promote a vigilant development community to enhance security in cloud environments. The vulnerability, known as LeakyCLI [2] [3] [5], poses significant risks to organizations [5], as sensitive information in the form of environment variables can be collected by adversaries [1] [5] [7]. Microsoft has addressed this issue with a security update [1] [5] [6], but AWS and Google Cloud remain vulnerable [4]. Organizations should take proactive measures to secure their cloud environments and prevent unauthorized access to sensitive information and credentials.
References
[1] https://innovatopia.jp/cyber-security/cyber-security-news/22663/
[2] https://www.hackread.com/vulnerability-leakycli-leaks-aws-google-cloud-credentials/
[3] https://www.443news.com/2024/04/aws-google-and-azure-cli-tools-could-leak-credentials-in-build-logs/
[4] https://www.infosecurity-magazine.com/news/leakycli-exposes-aws-google-cloud/
[5] https://www.hendryadrian.com/cyware-aws-google-and-azure-cli-tools-could-leak-credentials-in-build-logs/
[6] https://vulert.com/blog/aws-google-azure-cli-tools-credential-leaks/
[7] https://orca.security/resources/blog/leakycli-aws-google-cloud-command-line-tools-can-expose-sensitive-credentials-build-logs/