November 14, 2023 at 01:46PM
Microsoft has addressed a critical security vulnerability in Azure CLI that could allow attackers to steal credentials from GitHub Actions or Azure DevOps logs. The bug, identified as CVE-2023-36052, enables unauthenticated attackers to access plain text contents written by Azure CLI to CI/CD logs. Microsoft advises users to update to Azure CLI version 2.53.1 or above, and offers additional steps to prevent exposure of secrets in logs. The company has also implemented new default configurations to enhance security measures. However, prior versions of Azure CLI are still susceptible to exploitation.
Key takeaways from the meeting notes:
1. Microsoft has fixed a critical security vulnerability (CVE-2023-36052) reported by Palo Alto’s Prisma Cloud.
2. The vulnerability allowed unauthenticated attackers to remotely access plaintext credentials from Azure CLI logs used in CI/CD.
3. Customers must update their Azure CLI version to 2.53.1 or above to protect against the vulnerability.
4. Azure CLI commands users were notified through the Azure Portal.
5. Microsoft advises all customers to update to the latest Azure CLI version (2.54) and follow steps to prevent accidental exposure of secrets in CI/CD logs.
6. Azure CLI default configuration has been updated to restrict the presentation of secrets in output.
7. Microsoft has expanded credential redaction capabilities in GitHub Actions and Azure Pipelines to obfuscate leaked keys in logs.
8. Redmond is continuously working on optimizing and extending protection for potential secret patterns.
Please note that these takeaways are a summary of the meeting notes and are not exhaustive.