Azure CLI stores credentials in plaintext in logs. A easy technique to hack cloud environments

CVE-2023-36052 is a critical security vulnerability in the Azure Command-Line Interface (CLI), a tool for managing Azure resources. This vulnerability, reported by Palo Alto’s Prisma Cloud, allowed unauthenticated attackers to remotely access plaintext contents, including usernames and passwords, from Continuous Integration and Continuous Deployment (CI/CD) logs created using Azure CLI. These logs could be published by Azure DevOps and/or GitHub Actions. To mitigate this risk, users were advised to update their Azure CLI to version 2.53.1 or above.

Let’s consider a hypothetical example to understand the implications of CVE-2023-36052:

Suppose a development team uses Azure CLI for managing their Azure resources and automates their deployment process using GitHub Actions. During their routine operations, they execute various Azure CLI commands which generate logs. These logs, by default, include plaintext credentials such as usernames and passwords.

5 best free API security testing tools. Protecting your cloud CI/CD Pipeline

An external attacker, aware of this vulnerability, could access the public repository where the team’s GitHub Actions are configured. By examining the CI/CD logs published there, the attacker could find and extract these plaintext credentials. With these credentials, the attacker could gain unauthorized access to the team’s Azure resources, potentially leading to data breaches, unauthorized modifications, or even service disruptions.

This scenario underscores the critical nature of CVE-2023-36052, where seemingly benign logs could inadvertently become a source of significant security breaches. The mitigation steps provided by Microsoft, including updating Azure CLI and implementing best practices for log management and key rotations, are essential to prevent such unauthorized access.

Mitigation

Microsoft implemented several measures to address this vulnerability. These include:

Azure CLI Update: Advising customers to update Azure CLI to the latest release.
Securing Logs: Avoiding exposure of Azure CLI output in logs or publicly accessible locations and implementing guidance for masking environment variables.
Regularly Rotating Keys and Secrets: Encouraging regular rotation of keys and secrets.
Reviewing Security Best Practices: Providing guidance on secrets management for Azure services and GitHub Actions, and ensuring GitHub repositories are private unless necessary to be public.
Securing Azure Pipelines: Offering guidance for securing Azure Pipelines.
Enhancing Default Configurations: Introducing a new default configuration in Azure CLI to prevent accidental disclosure of sensitive information. This included restricting the presentation of secrets in output from update commands and broadening credential redaction capabilities across GitHub Actions and Azure Pipelines.

Workaround

Without patching, the primary alternative way to mitigate the risks associated with CVE-2023-36052 involves several best practices and security measures:

Secure Logging Practices: Ensure that logs do not contain sensitive information. This might involve custom scripts or tools to filter out or obfuscate credentials and other sensitive data before they are logged.
Access Control on Logs: Restrict access to CI/CD logs. Ensure that only authorized personnel can view these logs, and they are not publicly accessible.
Frequent Credential Rotation: Regularly change credentials and secrets to reduce the window of opportunity for an attacker to use compromised credentials.
Monitoring and Alerting: Implement monitoring to detect unusual access patterns or usage of credentials, which might indicate a compromise.
Environment Segmentation: Segregate development, testing, and production environments. Limit the scope of what each environment can access to minimize potential damage.

However, these measures are more complex and potentially less effective than updating the Azure CLI to a patched version. Patching directly addresses the vulnerability at its source, providing a more comprehensive and straightforward solution.

Mike Stevens

Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.

Azure CLI stores credentials in plaintext in logs. A easy technique to hack cloud environments

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

Is Your etcd an Open Door for Cyber Attacks? How to Secure Your Kubernetes Clusters & Nodes

CVSS 4.0 Explained: From Complexity to Clarity in Vulnerability Assessment

The Art of Interception :Active and Passive Surveillance in Mobile Signaling Networks

Unmasking Cracked Cobalt Strike 4.9: The Cybercriminal’s Tool of Choice

How to send phishing or malware to Teams users evading Teams security features

Caldera: Free Operational technology OT Attack Emulation Tool to secure ICS, SCADA and PLC devices

Azure cloud security tutorial series – Chapter 4 [Establish VNet Peering]

TunnelCrack: Two serious vulnerabilities in VPNs discovered, had been dormant since 1996

How to easily hack TP-Link Archer AX21 Wi-Fi router

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]

Over 86,000 Routers at Risk – Is Yours One of Them? Shocking Vulnerabilities in Widely Used OT/IoT Routers

Inside LogoFAIL: The UEFI Firmware Flaw Compromising Millions of Devices

Your Google Cloud Security Might Be at Risk. Hacking GCP via Google Workspace flaw

Azure CLI stores credentials in plaintext in logs. A easy technique to hack cloud environments

Hackers’ new favorite: CVE-2023-4911 targeting Debian, Ubuntu and Fedrora servers in the Cloud

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

Is Your etcd an Open Door for Cyber Attacks? How to Secure Your Kubernetes Clusters & Nodes

CVSS 4.0 Explained: From Complexity to Clarity in Vulnerability Assessment

The Art of Interception :Active and Passive Surveillance in Mobile Signaling Networks

Unmasking Cracked Cobalt Strike 4.9: The Cybercriminal’s Tool of Choice

How to send phishing or malware to Teams users evading Teams security features

Caldera: Free Operational technology OT Attack Emulation Tool to secure ICS, SCADA and PLC devices

Azure cloud security tutorial series – Chapter 4 [Establish VNet Peering]

Azure cloud security tutorial series – Chapter 3 [Add resource to VNet]

Azure cloud security tutorial series – Chapter 2 [Virtual Network]

How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks

How hrserver.dll stealthy webshell can mimic Google’s Web Traffic to hide and compromise networks

This new technique allows you to install ransomware and avoid EDR on any system

Guardians of the Hackers Galaxy: Unlock the tool of ToddyCat’s Group

Silent Predator Unveiled: Decoding WebWyrm Stealthy Malware affecting 50 countries

Cyber Security Channel

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]