The Microsoft Security Response Center (MSRC) was made aware of a vulnerability where Azure Command-Line Interface (CLI) could expose sensitive information, including credentials, through GitHub Actions logs. The researcher, from Palo Alto’s Prisma Cloud, found that Azure CLI commands could be used to show sensitive data and output to Continuous Integration and Continuous Deployment (CI/CD) logs. Microsoft recommends that customers update to the latest version of Azure CLI (2.54) and follow the guidance provided below to help prevent inadvertently exposing secrets through CI/CD logs. A notification in the Azure Portal was sent to customers who recently used Azure CLI commands informing them of an available update.
In response to Prisma’s report, Microsoft has made several changes across different products, including Azure Pipelines, GitHub Actions, and Azure CLI, to implement more robust secret redaction. This discovery highlights the increasing need to help ensure customers are not logging sensitive information into their repo and CI/CD pipelines. Minimizing security risk is a shared responsibility; Microsoft has issued an update to Azure CLI to help prevent secrets from being output and customers are expected to be proactive in taking steps to secure their workloads.
More information about this vulnerability can be found in the Security Update Guide under CVE-2023-36052.
Microsoft has made changes to several Azure CLI commands and will continue to implement changes to further harden Azure CLI against inadvertent usage that could lead to secrets exposure. One example is the implementation of a new default setting which prevents secrets from being presented in the output of update commands for services in the App Service family (Web Apps, Functions, etc.). This default setting will only apply for customers who update to the newest version of Azure CLI (2.53.1 and above) and will not apply to previous versions of Azure CLI (2.53.0 and below). More information can be found in the Azure CLI release notes. Note that this change might adversely impact some automation workflows since certain users might expect secret values in the Azure CLI response to then be used in subsequent parts of the workflow. However, there are safer authoring patterns for automation that we encourage customers to consider. A sample of updated App Service commands can be found below. As we continue to investigate, we will continue to make updates to Azure CLI and update the list of commands in CVE-2023-36052.
az webapp config appsettings set
az webapp config appsettings delete
In addition, we’re expanding our credential redaction capabilities in GitHub Actions and Azure Pipelines to identify a wider number of recognizable key patterns in build logs and mask them. This redaction is designed to target a specific set of keys for accuracy and performance reasons and is intended to catch any Microsoft-issued keys that may have inadvertently found their way into public-facing logs. Note that the patterns being redacted are not currently comprehensive and you may see additional variables and data masked in output and logs that are not set as secrets. Microsoft is continuously exploring ways of optimizing and extending this protection to include a robust pattern of potential secrets.
As mentioned above, minimizing security risk is a shared responsibility. As always, Microsoft encourages customers to follow best practices when developing and managing their cloud workloads. When it comes to secret management, there are a number of steps customers can take to help avoid inadvertent secret exposure, including:
We appreciate the opportunity to investigate the findings reported by Prisma Cloud and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research.