Critical：Azure命令行界面(CLI)可能通过GitHub Actions日志暴露敏感信息

Azure命令行界面(CLI)可能通过GitHub Actions日志暴露敏感信息

微软安全响应中心(MSRC)意识到Azure命令行界面(CLI)可能通过GitHub Actions日志暴露敏感信息，包括凭据。

来自Palo Alto Networks Prisma Cloud的研究人员发现，Azure CLI命令可以用来显示敏感数据，并输出到持续集成和持续部署(CI/CD)日志。

Microsoft建议客户更新到最新版本的Azure CLI(2.54)，并遵循下面提供的指导，以帮助防止通过CI/CD日志无意中暴露秘密。Azure Portal中的通知被发送给最近使用Azure CLI命令的客户，通知他们有可用的更新。

作为对Prisma Cloud报告的回应，微软已经对不同的产品(包括Azure pipeline、GitHub Actions和Azure CLI)做出了一些改变，以实现更强大的秘密编辑。这一发现凸显了帮助确保客户不会将敏感信息记录到其回购和CI/CD管道中的日益增长的需求。减少安全风险是我们的共同责任;微软已经发布了Azure CLI的更新，以帮助防止秘密被输出，并希望客户积极采取措施来保护他们的工作负载。

有关此漏洞的更多信息，请参阅CVE-2023-36052下的安全更新指南。

Changes to Azure Pipelines, GitHub Actions Logging, and Azure CLI

Microsoft has made changes to several Azure CLI commands and will continue to implement changes to further harden Azure CLI against inadvertent usage that could lead to secrets exposure.

微软已经对几个Azure CLI命令进行了更改，并将继续实施更改，以进一步加强Azure CLI，防止无意中使用可能导致机密泄露。

One example is the implementation of a new default setting which prevents secrets from being presented in the output of update commands for services in the App Service family (Web Apps, Functions, etc.). This default setting will only apply for customers who update to the newest version of Azure CLI (2.53.1 and above) and will not apply to previous versions of Azure CLI (2.53.0 and below). More information can be found in the Azure CLI release notes. Note that this change might adversely impact some automation workflows since certain users might expect secret values in the Azure CLI response to then be used in subsequent parts of the workflow. However, there are safer authoring patterns for automation that we encourage customers to consider. A sample of updated App Service commands can be found below. As we continue to investigate, we will continue to make updates to Azure CLI and update the list of commands in CVE-2023-36052.

az webapp config appsettings set

az webapp config appsettings delete

In addition, we’re expanding our credential redaction capabilities in GitHub Actions and Azure Pipelines to identify a wider number of recognizable key patterns in build logs and mask them. This redaction is designed to target a specific set of keys for accuracy and performance reasons and is intended to catch any Microsoft-issued keys that may have inadvertently found their way into public-facing logs. Note that the patterns being redacted are not currently comprehensive and you may see additional variables and data masked in output and logs that are not set as secrets. Microsoft is continuously exploring ways of optimizing and extending this protection to include a robust pattern of potential secrets.

为客户提供指导：避免无意中通过Azure CLI暴露秘密

针对该漏洞，客户可以采取一些步骤来帮助避免无意的敏感信息暴露，包括:

• 始终将Azure CLI更新到最新版本，以接收最新的安全更新。
• 避免将Azure CLI输出暴露在日志和/或可公开访问的位置。如果开发的脚本需要输出值，请确保过滤掉脚本所需的属性。请查看有关输出格式的Azure CLI信息，并实施Microsoft推荐的屏蔽环境变量的指导。
• 定期更换密钥和凭据。作为一般的最佳实践，我们鼓励客户以最适合其环境的节奏定期轮换密钥和秘密。
• 查看有关Azure服务的秘密管理的指导。
• 查看GitHub Actions中安全加固的最佳实践。
• 确保GitHub存储库设置为私有，除非需要公开。
• 查看Microsoft保护Azure管道的指南

Microsoft官方公布链接：Microsoft guidance regarding credentials leaked to GitHub Actions Logs through Azure CLI