Microsoft has fixed a critical security vulnerability that could let attackers steal credentials from GitHub Actions or Azure DevOps logs created using Azure CLI (short for Azure command-line interface).
The vulnerability (tracked as CVE-2023-36052) was reported by Palo Alto security researcher Aviad Hahami, who found that successful exploitation enables unauthenticated attackers to remotely access plain text contents written by Azure CLI to Continuous Integration and Continuous Deployment (CI/CD) logs.
“An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions,” Microsoft explains.
“Customers using the affected CLI commands must update their Azure CLI version to 2.53.1 or above to be protected against the risks of this vulnerability. This also applies to customers with log files created by using these commands through Azure DevOps and/or GitHub Actions.”
Microsoft says that customers who recently used Azure CLI commands were notified through the Azure Portal. In an MSRC blog post published today, Redmond advised all customers to update to the latest Azure CLI version (2.54).
They’re also recommended to go through the following steps to prevent accidental exposure of secrets within CI/CD logs:
- Keep Azure CLI updated to the latest release.
- Avoid exposing Azure CLI output in logs and/or publicly accessible locations: If developing a script that requires the output value, filter out the property needed for the script (review Azure CLI information regarding output formats and implement recommended guidance for masking an environment variable).
- Rotate keys and secrets regularly. As a general best practice, customers are encouraged to regularly rotate keys and secrets on a cadence that works best for their environment (guidance on key and secret considerations in Azure is available here).
- Review the guidance around secrets management for Azure services.
- Review GitHub best practices for security hardening in GitHub Actions.
- Ensure GitHub repositories are set to private unless otherwise needed to be public.
- Review the guidance for securing Azure Pipelines
Microsoft has implemented a new Azure CLI default configuration to bolster security measures, aiming to prevent accidental disclosure of sensitive information. The updated setting now restricts the presentation of secrets in the output generated by update commands concerning services within the App Service family, including Web Apps and Functions.
However, the new default will roll out to customers who have updated to the latest Azure CLI version (2.53.1 and higher), while prior versions (2.53.0 and below) are still vulnerable to exploitation.
Furthermore, the company has broadened credential redaction capabilities across GitHub Actions and Azure Pipelines to increase the number of recognizable key patterns within build logs and obfuscate them.
With the new redaction abilities update, Redmond says that Microsoft-issued keys will be detected before being inadvertently leaked in publicly accessible logs.
“By avoiding echoing secrets, the new release prevents leakage in CI pipeline logs, developers’ machines, and log aggregators,” Hahami said.
“We recommend updating the Azure CLI versions used in CI runners and developers’ machines to 2.54, to make sure no secrets are printed to the logs.”