Cloud infrastructure is the backbone of modern technology, and its security hinges on the tools developers use to manage it. However, a recently discovered vulnerability dubbed “LeakyCLI” exposes a critical weakness in these tools, potentially granting unauthorized access to sensitive cloud credentials.
This vulnerability affects the command-line interfaces (CLIs) used by major cloud providers like Amazon Web Services (AWS) and Google Cloud Platform (GCP). Security researchers at Orca Security identified LeakyCLI, which can inadvertently expose environment variables containing sensitive information like passwords and access keys within logs.
The Flaw and the Risk
CLIs are typically designed for use in secure environments. However, the integration with Continuous Integration and Continuous Deployment (CI/CD) pipelines, which automate development processes, introduces a security risk. LeakyCLI bypasses secret labelling mechanisms within CI/CD pipelines, potentially printing sensitive credentials to logs that shouldn’t contain them.
“CLI commands are by default assumed to be running in a secure environment,” explains an Orca advisory. “But coupled with CI/CD pipelines, they may pose a security threat.” This vulnerability creates a prime target for attackers employing social engineering tactics.
Deja Vu: Echoes of the XZ Utils Attack
In some way, the LeakyCLI vulnerability resembles a recent incident involving the open-source project XZ Utils, a popular data compression tool. In that case, a malicious actor gained the maintainer’s trust through flattery, claims of expertise, and ultimately, malicious code insertion. LeakyCLI exposes credentials, making them even more valuable to attackers who might also leverage social engineering to compromise projects.
Securing the Cloud: Recommendations for Developers
Security researchers recommend several measures to mitigate the risks associated with LeakyCLI:
- Eliminate Secrets in Environment Variables: Instead of storing sensitive information like passwords and keys in environment variables, leverage dedicated secrets management services offered by cloud providers like AWS Secrets Manager or Google Cloud Key Management Service.
- Multi-Factor Authentication (MFA): Enforce strong authentication protocols like MFA for all users accessing cloud resources and project repositories.
- Granular Access Control: Grant users only the level of access required for their specific tasks within projects.
- Code Reviews: Implement rigorous code review processes to identify and remove any vulnerabilities that might be introduced accidentally or maliciously.
- Community Vigilance: Foster a strong and vigilant development community to identify suspicious activity and report potential threats promptly.
While both AWS and Google Cloud Platform were notified of LeakyCLI, they maintain that the current behaviour falls within the expected design parameters. However, the security community is urging cloud providers to consider implementing additional protection within their CLIs to prevent sensitive information from leaking into logs, especially within automated CI/CD workflows.
The LeakyCLI vulnerability goes on to show how cloud security can be at risk. Therefore, developers and cloud providers alike must work together to implement robust security measures and remain vigilant against these ever-sophisticated threats.
RELATED TOPICS
- SSH Remains Most Targeted Service, Says Cado’s Cloud
- Chinese APT Posing as Cloud Services to Spy on Cambodia
- Massive Cloud Database Leak Exposes 380 Million Records
- Supply Chain Attack HitTelegram, AWS Alibaba Cloud Users
- Cloudflare Hacked After State Actor Leverages Okta Breach