Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Cloud Users Warned of Data Exposure Risk From Command-Line Tools

Cloud security specialists found data exposure risk associated with Azure, AWS, and Google Cloud command-line tools.

Cloud security firm Orca is warning organizations that command-line tools can expose sensitive information, but major cloud services providers say the behavior is expected.

Microsoft Azure, AWS and Google Cloud provide command-line interface (CLI) tools that customers can use for interacting with each platform. 

Researchers found that some commands associated with these tools can expose information in the form of environment variables, in build log files. 

“If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can,” Orca explained on Tuesday.

According to Orca, by default, CLI commands are assumed to be running in a secure environment, but they may also be used for continuous integration and continuous development (CI/CD) environments, which is where the security risks can emerge. 

The issue was initially discovered by a Palo Alto Networks researcher in the Azure CLI last year. Microsoft assigned the vulnerability the identifier CVE-2023-36052 and patched it in November 2023. 

Advertisement. Scroll to continue reading.

“An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions,” Microsoft said in its advisory. 

Orca later discovered that the same issue, which it has named LeakyCLI, also impacts AWS and Google Cloud CLI tools. 

However, AWS and Google Cloud have described it as “expected behavior”, according to the cloud security firm, but their customers can take steps to prevent the exposure of sensitive data.

“We’re appreciative of the researcher’s work in identifying and reporting their findings to Google,” a Google Cloud spokesperson told SecurityWeek. “We do not consider this specific finding a vulnerability as environment variables are inherently not secure for storing secrets in production workloads. Google recommends using Secrets manager functions built into gcloud deploy cmd to store credentials.”

As for AWS, it told Orca that it will update its documentation for customers. The cloud giant recommends not storing secrets in environment variables, and reviewing build logs for sensitive information. 

Related: Inside AWS’s Crusade Against IP Spoofing and DDoS Attacks

Related: Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers

Related: Vulnerability Allowed Takeover of AWS Apache Airflow Service

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.