GET A DEMO
Voyager18 (research)

Microsoft Resolves Critical CVE-2023-36052 in Azure CLI

Learn all the details about CVE-2023-36052, a critical vulnerability in Microsoft's Azure CLI, including how to fix it.

Yair Divinsky | November 16, 2023

Microsoft recently addressed CVE-2023-36052, a critical security vulnerability within Azure CLI that had the potential to compromise sensitive credentials in logs. Here’s all you need to know about the specifics of this vulnerability, its potential impact, and the necessary steps to safeguard against it.

What is CVE-2023-36052?

CVE-2023-36052 is a critical security loophole within Azure CLI, reported by Aviad Hahami, a security researcher from Palo Alto Networks. This vulnerability enabled unauthorized access to plaintext information in logs created by Azure CLI in CI/CD environments linked to GitHub Actions or Azure DevOps. Exploiting CVE-2023-36052 potentially allowed attackers to retrieve sensitive credentials stored within the log files. 
The flaw essentially causes the exposure of plaintext credentials, creating a potential pathway for attackers to access usernames and passwords from logs generated by Azure CLI in Continuous Integration and Continuous Deployment (CI/CD) environments associated with GitHub Actions or Azure DevOps. 

CVE-2023-36052 at a glance

CISA deadline: 

None 

Type: 

Compromised Data Leakage 

Impact: 

Confidentiality 

Platforms: 

Azure CLI in CI/CD environments associated with GitHub Actions or Azure DevOps, specifically for users who have utilized Azure CLI commands generating logs in these environments 

Wild Exploit: 

No 

Mitigation: 

Update to version 2.53.1 or higher 

Remediation action: 

Update Azure CLI versions on CI runners and developers’ machines to 2.54 

Does CVE-2023-36052 affect me?

If you have used Azure CLI commands in CI/CD environments associated with GitHub Actions or Azure DevOps, there is a potential risk of being affected by CVE-2023-36052. Specifically, users who have utilized Azure CLI commands to generate logs in these environments are susceptible to this vulnerability.  

Has CVE-2023-36052 been actively exploited in the wild? 

As of the latest available information, there is no concrete evidence suggesting active exploitation of CVE-2023-36052 in the wild. Nevertheless, the severity of this vulnerability emphasizes the critical importance of promptly patching and securing systems, as threat actors may attempt to exploit such vulnerabilities swiftly once they become public knowledge. 

How to fix CVE-2023-36052? 

Following Microsoft’s advisory, the company strongly advises all users leveraging Azure CLI in these settings to promptly update to version 2.53.1 or higher to mitigate the risks associated with CVE-2023-36052. It states: “Users employing the impacted CLI commands are urged to upgrade their Azure CLI version to 2.53.1 or higher to shield themselves from the associated vulnerabilities. This directive extends to users whose log files have been generated through these commands via Azure DevOps and/or GitHub Actions.” 

Microsoft has also notified users who recently utilized Azure CLI commands through the Azure Portal. In a recent MSRC blog post, the company advised all users to transition to the latest Azure CLI version (2.54).  

Additionally, users are advised to adhere to the following steps to prevent inadvertent exposure of sensitive information within CI/CD logs: 

  1. Keep Azure CLI consistently updated to the most recent release. 
  2. Avoid exposing  the Azure CLI output in logs or any publicly accessible locations. When developing scripts that necessitate output values, filter out the required property, following Azure CLI guidance on output formats and recommended approaches for masking environment variables. 
  3. Regularly rotate keys and secrets, aligning with best practices to ensure heightened security measures in their environment (for detailed guidance on key and secret considerations in Azure). 
  4. Review the guidance on secrets management for Azure services. 
  5. Familiarize with GitHub’s recommended security hardening practices from GitHub Actions. 
  6. Ensure GitHub repositories are configured as private unless there’s a specific need for them to be public. 
  7. Review the guidance for securing Azure Pipelines 

Microsoft has introduced an enhanced default configuration in Azure CLI to reinforce security measures, limiting the visibility of secrets in the output produced by update commands relating to services within the App Service family, such as Web Apps and Functions. 

 

However, this new default setting will be available to users who have updated to the latest Azure CLI version (2.53.1 and above), while previous versions (2.53.0 and below) remain vulnerable to exploitation. 

Furthermore, the company has expanded credential redaction capabilities across GitHub Actions and Azure Pipelines to detect and obscure more recognizable key patterns within build logs. With these updated redaction capabilities, Microsoft assures that keys issued by them will be identified before inadvertent exposure in publicly accessible logs. 

In his research, Hahami notes: “The new release avoids echoing secrets and helps prevent inadvertent leakage in CI pipeline logs, developers’ machines, and log aggregators. It is highly recommended users update Azure CLI versions on CI runners and developers’ machines to 2.54 to ensure that no secrets are inadvertently printed in the logs.” 

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Announcing the Attack Path Graph for end-to-end risk prioritization
  2. The Q3 2023 Vulnerability Watch report
  3. MITRE ATTACK framework – Mapping techniques to CVEs  
  4. Exploit maturity: an introduction  
  5. IBM’s Cost of a Data Breach report 2023 – what we learned

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png