Understanding and Mitigating the LeakyCLI Vulnerability: AWS, GCP and Azure
Introduction to the LeakyCLI Vulnerability
The LeakyCLI vulnerability identified by Orca Security is a critical issue found in the CLI tools of major cloud providers like AWS, Google Cloud, and Azure. This flaw allows sensitive credentials to be exposed in build logs, thereby increasing the risk of security breaches. Azure has fixed the vulnerability, whereas, AWS and GCP have given guidelines.
Recommendations from AWS and Google Cloud
AWS and Google Cloud acknowledge the exposure of credentials in build logs as a possible outcome of their current CLI configurations. Both providers emphasize that it is the responsibility of the organizations to secure their credentials properly.
AWS: Users are urged to avoid storing secrets in environment variables and should instead utilize AWS Secrets Manager. This service provides more secure management of secrets by enabling encryption at rest and automated rotation of credentials.
Google Cloud: Along with recommending the use of Google Cloud Secret Manager for secure storage of secrets, Google advises users to employ the
--no-user-output-enabled
flag with CLI commands. This option suppresses the command outputs to the terminal, thus preventing the accidental logging of sensitive information.
Step-by-Step Mitigation Strategies
1. AWS
- Update AWS CLI Tools: Ensure the AWS CLI is always up-to-date to incorporate the latest security patches.
- Use AWS Secrets Manager: Store sensitive credentials like API keys and passwords in the Secrets Manager to avoid exposure in logs.
- Enable CloudTrail and Config: These services help in monitoring and auditing configurations and API usage to detect anomalies and unauthorized access.
2. Google Cloud
- Update gcloud CLI Tools: Regular updates are crucial to receiving the latest security defenses.
- Use Google Cloud Secret Manager: Adopt Google’s dedicated secret management service to enhance security.
- Suppress Terminal Output: Utilize the
--no-user-output-enabled
flag to reduce the risk of credential exposure during standard operations.
3. Azure
- Update Azure CLI: Regular updates are necessary for maintaining security integrity.
- Use Azure Managed Identities: Automate the management of credentials safely and securely.
- Implement Azure Monitor and Key Vault: These tools provide monitoring capabilities and secure credential storage, respectively.
Best Practices Across All Platforms
- Regular Auditing and Logging: Maintain stringent logging and auditing to quickly identify and mitigate any potential exposure of sensitive information.
- Access Management: Implement strict access controls, following the principle of least privilege to minimize access to sensitive data.
- Security Training: Regular training sessions for developers and IT staff are crucial to reinforce best practices in handling credentials and sensitive information.
By following these detailed steps and adopting a robust security posture, organizations can effectively safeguard against the LeakyCLI vulnerability and similar security threats.