Summary
The Microsoft Security Response Center (MSRC) was made aware of a vulnerability where Azure Command-Line Interface (CLI) could expose sensitive information, including credentials, through GitHub Actions logs. The researcher, from Palo Alto Networks Prisma Cloud, found that Azure CLI commands could be used to show sensitive data and output to Continuous Integration and Continuous Deployment (CI/CD) logs. Microsoft recommends that customers update to the latest version of Azure CLI (2.54) and follow the guidance provided below to help prevent inadvertently exposing secrets through CI/CD logs. A notification in the Azure Portal was sent to customers who recently used Azure CLI commands informing them of an available update.
In response to Prisma Cloud’s report, Microsoft has made several changes across different products, including Azure Pipelines, GitHub Actions, and Azure CLI, to implement more robust secret redaction. This discovery highlights the increasing need to help ensure customers are not logging sensitive information into their repo and CI/CD pipelines. Minimizing security risk is a shared responsibility; Microsoft has issued an update to Azure CLI to help prevent secrets from being output and customers are expected to be proactive in taking steps to secure their workloads.
More information about this vulnerability can be found in the Security Update Guide under CVE-2023-36052.
Changes to Azure Pipelines, GitHub Actions Logging, and Azure CLI
Microsoft has made changes to several Azure CLI commands and will continue to implement changes to further harden Azure CLI against inadvertent usage that could lead to secrets exposure. One example is the implementation of a new default setting which prevents secrets from being presented in the output of update commands for services in the App Service family (Web Apps, Functions, etc.). This default setting will only apply for customers who update to the newest version of Azure CLI (2.53.1 and above) and will not apply to previous versions of Azure CLI (2.53.0 and below). More information can be found in the Azure CLI release notes. Note that this change might adversely impact some automation workflows since certain users might expect secret values in the Azure CLI response to then be used in subsequent parts of the workflow. However, there are safer authoring patterns for automation that we encourage customers to consider. A sample of updated App Service commands can be found below. As we continue to investigate, we will continue to make updates to Azure CLI and update the list of commands in CVE-2023-36052.
az webapp config appsettings set
az webapp config appsettings delete
In addition, we’re expanding our credential redaction capabilities in GitHub Actions and Azure Pipelines to identify a wider number of recognizable key patterns in build logs and mask them. This redaction is designed to target a specific set of keys for accuracy and performance reasons and is intended to catch any Microsoft-issued keys that may have inadvertently found their way into public-facing logs. Note that the patterns being redacted are not currently comprehensive and you may see additional variables and data masked in output and logs that are not set as secrets. Microsoft is continuously exploring ways of optimizing and extending this protection to include a robust pattern of potential secrets.
Customer guidance to avoid inadvertent secret exposure through Azure CLI
As mentioned above, minimizing security risk is a shared responsibility. As always, Microsoft encourages customers to follow best practices when developing and managing their cloud workloads. When it comes to secret management, there are a number of steps customers can take to help avoid inadvertent secret exposure, including:
- Always update Azure CLI to the latest release to receive the most recent security updates.
- Avoid exposing Azure CLI output in logs and/or publicly accessible locations. If developing a script that requires the output value, ensure that you filter out the property needed for the script. Please review Azure CLI information regarding output formats and implement our recommended guidance for masking an environment variable.
- Rotate keys and secrets on a regular basis. As a general best practice, customers are encouraged to regularly rotate keys and secrets on a cadence that works best for their environment. See our article on key and secret considerations in Azure here.
- Review the guidance around secrets management for Azure services.
- Review GitHub best practices for security hardening in GitHub Actions.
- Ensure GitHub repositories are set to private unless otherwise needed to be public.
- Review our guidance for securing Azure Pipelines
Acknowledgement
We appreciate the opportunity to investigate the findings reported by Prisma Cloud and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.
Prisma Cloud Blog on Azure CLI Leakage and Problematic Usage Patterns
References
Azure CLI Guidance
GitHub Guidance
- Using secrets in GitHub Actions - GitHub Docs
- Masking an environment variable
- Setting repository visibility - GitHub Docs
- Deleting logs in GitHub Actions - GitHub Docs