Azure CLI is the latest Microsoft product to be severely at risk due to a new vulnerability
CVE-2023-36052 can expose confidential information in public logs.
Azure CLI (Azure Command-Line Interface) was reportedly at great risk of exposing sensitive information, including credentials, whenever someone would interact with the GitHub Actions logs on the platform, according to the latest blog post from the Microsoft Security Response Center.
MSRC was made aware of the vulnerability, now called CVE-2023-36052, by a researcher who found out that tweaking Azure CLI commands could lead to showing sensitive data and output to Continuous Integration and Continuous Deployment (CI/CD) logs.
This is not the first time researchers found out Microsoft products are vulnerable. Earlier this year, a team of researchers made Microsoft aware that Teams is highly prone to modern malware, including phishing attacks. Microsoft products are so vulnerable that 80% of Microsoft 365 accounts were hacked in 2022, alone.
The threat of the CVE-2023-36052 vulnerability was such a risk, that Microsoft immediately took action across all platforms and Azure products, including Azure Pipelines, GitHub Actions, and Azure CLI, and improved infrastructure to better resist such tweaking.
In response to Prisma’s report, Microsoft has made several changes across different products, including Azure Pipelines, GitHub Actions, and Azure CLI, to implement more robust secret redaction. This discovery highlights the increasing need to help ensure customers are not logging sensitive information into their repo and CI/CD pipelines. Minimizing security risk is a shared responsibility; Microsoft has issued an update to Azure CLI to help prevent secrets from being output and customers are expected to be proactive in taking steps to secure their workloads.
Microsoft
What can you do to avoid the risk of losing sensitive information to the CVE-2023-36052 vulnerability?
The Redmond-based tech giant says users should update Azure CLI to the latest version (2.54) as soon as possible. After updating, Microsoft also wants users to follow this guideline:
- Always update Azure CLI to the latest release to receive the most recent security updates.
- Avoid exposing Azure CLI output in logs and/or publicly accessible locations. If developing a script that requires the output value, ensure that you filter out the property needed for the script. Please review Azure CLI information regarding output formats and implement our recommended guidance for masking an environment variable.
- Rotate keys and secrets regularly. As a general best practice, customers are encouraged to regularly rotate keys and secrets on a cadence that works best for their environment. See our article on key and secret considerations in Azure here.
- Review the guidance around secrets management for Azure services.
- Review GitHub best practices for security hardening in GitHub Actions.
- Ensure GitHub repositories are set to private unless otherwise needed to be public.
- Review the guidance for securing Azure Pipelines.
Microsoft will make some changes following the discovery of the CVE-2023-36052 vulnerability on Azure CLI. One of these changes, says the company, is the implementation of a new default setting that prevents sensitive information labeled as secret from being presented in the output of commands for services from the Azure family.
However, users will need to update to the 2.53.1 and above version of Azure CLI, as the new default setting will not be implemented on older versions.
The Redmond-based tech giant is also expanding the redaction capabilities in both GitHub Actions and Azure Pipelines to better identify and catch any Microsoft-issued keys that can be exposed in public logs.
If you use Azure CLI, make sure to update the platform to the latest version right now to protect your device and your organization against the CVE-2023-36052 vulnerability.