November 15, 2023 at 09:57AM
Microsoft has released patches and guidance for a high-severity vulnerability in Azure CLI that could expose sensitive information. The bug allowed certain Azure CLI functions to inadvertently expose secrets through CI/CD logs, potentially compromising plaintext passwords and usernames. Microsoft has made changes to Azure CLI commands to address the issue and recommends following security best practices, including keeping Azure CLI updated, not exposing CLI output in logs, and regularly rotating keys and secrets.
Key Takeaways from the meeting notes:
1. Microsoft has released patches and guidance for a high-severity vulnerability in Azure Command-Line Interface (CLI) that could expose sensitive information through GitHub Actions logs.
2. The vulnerability (CVE-2023-36052) allows certain Azure CLI functions to inadvertently expose secrets through CI/CD logs, leading to the exposure of credentials.
3. Attackers with ‘Read’ permissions on private repositories can retrieve the sensitive information from the logs.
4. The vulnerability was reported by a security researcher from Palo Alto Networks.
5. Microsoft has made changes to Azure CLI commands and other products to improve secret redaction and prevent leaks.
6. Customers are advised to follow security best practices, including keeping Azure CLI updated, not exposing CLI output in logs, regularly rotating keys and secrets, and reviewing guidance on secrets management and the security of GitHub Actions and Azure Pipelines.