Article Details

Microsoft fixes critical Azure CLI flaw that leaked credentials in logs. Microsoft has fixed a critical security vulnerability that could let attackers steal credentials from GitHub Actions or Azure DevOps logs created using Azure CLI (short for Azure command-line interface). The vulnerability (tracked as CVE-2023-36052) was reported by security researchers with Palo Alto's Prisma Cloud. They found that successful exploitation enables unauthenticated attackers to remotely access plain text contents written by Azure CLI to Continuous Integration and Continuous Deployment (CI/CD) logs. "An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions," Microsoft explains. "Customers using the affected CLI commands must update their Azure CLI version to 2.53.1 or above to be protected against the risks of this vulnerability. This also applies to customers with log files created by using these commands through Azure DevOps and/or GitHub Actions." Microsoft says that customers who recently used Azure CLI commands were notified through the Azure Portal. In an MSRC blog post published today, Redmond advised all customers to update to the latest Azure CLI version (2.54). They're also recommended to go through the following steps to prevent accidental exposure of secrets within CI/CD logs: Microsoft has implemented a new Azure CLI default configuration to bolster security measures, aiming to prevent accidental disclosure of sensitive information. The updated setting now restricts the presentation of secrets in the output generated by update commands concerning services within the App Service family, including Web Apps and Functions. However, the new default will roll out to customers who have updated to the latest Azure CLI version (2.53.1 and higher), while prior versions (2.53.0 and below) are still vulnerable to exploitation. Furthermore, the company has broadened credential redaction capabilities across GitHub Actions and Azure Pipelines to increase the number of recognizable key patterns within build logs and obfuscate them.  With the new redaction abilities update, Redmond says that Microsoft-issued keys will be detected before being inadvertently leaked in publicly accessible logs. "Note that the patterns being redacted are not currently comprehensive and you may see additional variables and data masked in output and logs that are not set as secrets," the company said. "Microsoft is continuously exploring ways of optimizing and extending this protection to include a robust pattern of potential secrets."