Security researchers have uncovered a significant vulnerability dubbed “LeakyCLI,” affecting command-line tools utilized in AWS and Google Cloud environments. Similar to a previously identified flaw in Azure CLI, this issue exposes sensitive credentials in logs, potentially granting adversaries access to critical information like passwords and keys. Despite efforts by Microsoft to address the vulnerability in Azure CLI, AWS, and Google Cloud CLI remain vulnerable, posing risks to organizations, especially those relying on Continuous Integration and Continuous Deployment pipelines.
The vulnerability stems from certain CLI commands inadvertently disclosing environment variables containing sensitive data. This oversight could be exploited by attackers, particularly in CI/CD pipelines, compromising resources within affected repositories. Orca Security, the team behind the discovery, promptly notified Google and AWS, but both companies deemed the behavior to be within the expected design parameters. To mitigate the risk, organizations are advised to avoid storing secrets in environment variables and instead utilize dedicated secrets store services like AWS Secrets Manager.
To safeguard cloud infrastructures against potential exploitation of vulnerabilities like LeakyCLI, organizations must adhere to proper security protocols. By refraining from storing sensitive information in vulnerable locations and leveraging dedicated secrets management services, they can ensure the integrity and security of their cloud environments.