April 16, 2024 at 11:00AM
Cloud security firm Orca warned about how certain command-line tools from major cloud service providers expose sensitive information in the form of environment variables, posing security risks. Microsoft Azure, AWS, and Google Cloud confirmed the issue and provided guidance on safeguarding sensitive data. Orca discovered this issue impacting not just Azure but also AWS and Google Cloud CLI tools.
From the meeting notes, the key takeaways are:
– Orca has warned organizations about the potential exposure of sensitive information through command-line tools provided by major cloud service providers – Microsoft Azure, AWS, and Google Cloud.
– The use of CLI tools can lead to the exposure of sensitive information such as credentials, passwords, usernames, and keys in the form of environment variables in build log files.
– Microsoft Azure was the first to address the issue by assigning a vulnerability identifier (CVE-2023-36052) and patching it in November 2023, acknowledging the potential risk of recovering plaintext passwords and usernames from the affected CLI commands’ log files.
– Orca later discovered that the same issue, named LeakyCLI, also impacts AWS and Google Cloud CLI tools, with both providers describing it as “expected behavior” and recommending steps for preventing exposure of sensitive data.
– Google Cloud highlights the use of its Secrets manager functions to store credentials and recommends against storing secrets in environment variables, while AWS plans to update its documentation for customers and advises against storing secrets in environment variables and reviewing build logs for sensitive information.
It is crucial for organizations using these cloud services to be aware of these potential security risks and follow the recommended steps to mitigate the exposure of sensitive data.