Microsoft has promptly addressed a critical security vulnerability in Azure CLI (Command-Line Interface), designated CVE-2023-36052, discovered by security researchers at Palo Alto’s Prisma Cloud. This vulnerability posed a risk of attackers stealing credentials from logs generated by Azure CLI in GitHub Actions or Azure DevOps.
Successful exploitation allowed unauthenticated attackers to remotely access plaintext contents in Continuous Integration and Continuous Deployment (CI/CD) logs, potentially compromising passwords and usernames. Microsoft urges users of affected CLI commands to update to version 2.53.1 or above, emphasizing the importance of securing against the risks posed by this vulnerability.
Furthermore, customers who recently used Azure CLI commands were notified through the Azure Portal, and Microsoft advises all users to update to the latest Azure CLI version (2.54). Additionally, users are recommended to follow several security measures to prevent accidental exposure of secrets within CI/CD logs, including keeping Azure CLI updated, avoiding CLI output exposure in logs, regularly rotating keys and secrets, reviewing guidance on secrets management for Azure services, and implementing GitHub best practices for security hardening.
Additionally, Microsoft has introduced a new Azure CLI default configuration to enhance security, restricting the presentation of secrets in the output generated by update commands for services within the App Service family. While this default is applicable to versions 2.53.1 and higher, users with versions 2.53.0 and below remain vulnerable until they update.
Microsoft has expanded credential redaction capabilities across GitHub Actions and Azure Pipelines, increasing the recognition of key patterns within build logs to obfuscate them. The update aims to prevent inadvertent disclosure of sensitive information, with Microsoft-issued keys being detected before leaking in publicly accessible logs.
The company acknowledges that the redaction patterns are not exhaustive and may mask additional variables and data in output and logs that are not set as secrets. Microsoft expresses its commitment to ongoing efforts to optimize and extend these protective measures to include a comprehensive pattern of potential secrets, reinforcing its dedication to cybersecurity and user protection.