New research in cybersecurity reveals a vulnerability named LeakyCLI, indicating that certain command-line interface (CLI) tools in Amazon Web Services (AWS) and Google Cloud may inadvertently expose sensitive credentials in build logs, posing significant risks for organizations. Orca, a cloud security firm, identified this vulnerability, emphasizing its potential consequences for security.
Roi Nisimi, a security researcher, highlighted how commands within Azure CLI, AWS CLI, and Google Cloud CLI could expose sensitive information, such as environment variables, which adversaries could exploit, especially when published by tools like GitHub Actions. Microsoft has addressed this issue through security updates, assigning it the CVE identifier CVE-2023-36052 with a CVSS score of 8.6.
The vulnerability stems from certain CLI commands that reveal predefined environment variables, with examples including AWS Lambda commands like get-function-configuration and gcloud functions deploy in Google Cloud. Orca found instances on GitHub where access tokens and other sensitive data were inadvertently leaked via various CI/CD logs, underscoring the widespread impact of the vulnerability.
While Microsoft has taken steps to mitigate the issue, Amazon and Google maintain that this behavior is expected, urging organizations to avoid storing secrets in environment variables and instead utilize dedicated secrets management services like AWS Secrets Manager or Google Cloud Secret Manager. Additionally, Google recommends using options like “–no-user-output-enabled” to suppress command output in terminal environments, emphasizing the importance of securing CLI commands, particularly within CI/CD pipelines.
