Microsoft has fixed a critical security vulnerability that could let attackers steal credentials from GitHub Actions or Azure DevOps logs created using Azure CLI. The vulnerability was reported by security researchers with Palo Alto's Prisma Cloud. They found that successful exploitation enables unauthenticated attackers to remotely access plain text contents written by Azure CLI to Continuous Integration and Continuous Deployment logs. "An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions," Microsoft explains. "Customers using the affected CLI commands must update their Azure CLI version to 2.53.1 or above to be protected against the risks of this vulnerability. This also applies to customers with log files created by using these commands through Azure DevOps and/or GitHub Actions." Microsoft says that customers who recently used Azure CLI commands were notified through the Azure Portal. In an MSRC blog post published today, Redmond advised all customers to update to the latest Azure CLI version. Avoid exposing Azure CLI output in logs and/or publicly accessible locations: If developing a script that requires the output value, filter out the property needed for the script. Review the guidance around secrets management for Azure services. Review GitHub best practices for security hardening in GitHub Actions. Ensure GitHub repositories are set to private unless otherwise needed to be public. Microsoft has implemented a new Azure CLI default configuration to bolster security measures, aiming to prevent accidental disclosure of sensitive information. The updated setting now restricts the presentation of secrets in the output generated by update commands concerning services within the App Service family, including Web Apps and Functions. The new default will roll out to customers who have updated to the latest Azure CLI version, while prior versions are still vulnerable to exploitation. The company has broadened credential redaction capabilities across GitHub Actions and Azure Pipelines to increase the number of recognizable key patterns within build logs and obfuscate them. With the new redaction abilities update, Redmond says that Microsoft-issued keys will be detected before being inadvertently leaked in publicly accessible logs. "Note that the patterns being redacted are not currently comprehensive and you may see additional variables and data masked in output and logs that are not set as secrets," the company said. "Microsoft is continuously exploring ways of optimizing and extending this protection to include a robust pattern of potential secrets." New Microsoft Exchange zero-days allow RCE, data theft attacks. Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks. Microsoft: State hackers exploiting Confluence zero-day since September.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000