Cloud security firm Orca is warning organizations that command-line tools can expose sensitive information, but major cloud services providers say the behavior is expected.
Microsoft Azure, AWS and Google Cloud provide command-line interface (CLI) tools that customers can use for interacting with each platform.
Researchers found that some commands associated with these tools can expose information in the form of environment variables, in build log files.
“If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can,” Orca explained on Tuesday.
According to Orca, by default, CLI commands are assumed to be running in a secure environment, but they may also be used for continuous integration and continuous development (CI/CD) environments, which is where the security risks can emerge.
The issue was initially discovered by a Palo Alto Networks researcher in the Azure CLI last year. Microsoft assigned the vulnerability the identifier CVE-2023-36052 and patched it in November 2023.
“An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions,” Microsoft said in its advisory.
Orca later discovered that the same issue, which it has named LeakyCLI, also impacts AWS and Google Cloud CLI tools.
However, AWS and Google Cloud have described it as “expected behavior”, according to the cloud security firm, but their customers can take steps to prevent the exposure of sensitive data.
“We’re appreciative of the researcher’s work in identifying and reporting their findings to Google,” a Google Cloud spokesperson told SecurityWeek. “We do not consider this specific finding a vulnerability as environment variables are inherently not secure for storing secrets in production workloads. Google recommends using Secrets manager functions built into gcloud deploy cmd to store credentials.”
As for AWS, it told Orca that it will update its documentation for customers. The cloud giant recommends not storing secrets in environment variables, and reviewing build logs for sensitive information.
Related: Inside AWS’s Crusade Against IP Spoofing and DDoS Attacks
Related: Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers
Related: Vulnerability Allowed Takeover of AWS Apache Airflow Service
