Microsoft Azure CLI affected by CVE-2022-39327

CVE-2022-39327 is a code injection vulnerability that affects the command-line interface for Microsoft Azure (Azure CLI). The vulnerability allows an attacker to execute arbitrary commands on a Windows machine that runs an Azure CLI command with untrusted parameter values. The vulnerability was discovered by GitHub Security Lab and reported to Microsoft on October 7, 2022. Microsoft released a patch for the vulnerability on October 25, 2022, in version 2.40.0 of the Azure CLI.

How CVE-2022-39327 is being exploited

The vulnerability is caused by improper neutralization of special characters used in an OS command. Specifically, the Azure CLI does not properly escape the & and | symbols in the parameter values that are passed to the PowerShell subprocess. These symbols are interpreted as command separators by PowerShell, allowing an attacker to inject additional commands after the intended Azure CLI command.

For example, consider the following Azure CLI command that creates a resource group with a user-supplied name:

az group create --name $name --location westus

If the $name variable contains a malicious value such as test & calc.exe, the PowerShell subprocess will execute the following command:

az group create --name test & calc.exe --location westus

This will create a resource group with the name test and also launch the calculator application on the Windows machine. Depending on the context and privileges of the Azure CLI command, an attacker could execute more harmful commands, such as deleting resources, stealing credentials, or compromising the system.

The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell. If any of these prerequisites are not met, the vulnerability is not applicable.

How to fix CVE-2022-39327

Users should upgrade to version 2.40.0 or greater of the Azure CLI to receive a mitigation for the vulnerability. The patch adds proper escaping of the & and | symbols in the parameter values that are passed to the PowerShell subprocess, preventing command injection.

Alternatively, users can avoid using PowerShell as the default shell for the Azure CLI by setting the AZURE_CLI_DEFAULT_SHELL environment variable to cmd or bash (see: https://www.opencve.io/cve/CVE-2022-39327). However, this may not be feasible or desirable for some users who rely on PowerShell features or scripts.

How to prevent similar vulnerabilities in the future

To prevent similar vulnerabilities in the future, developers should follow secure coding practices and use libraries or frameworks that handle user input sanitization and command execution safely. As an example, developers can use the shlex module in Python to assure they split and quote command-line arguments correctly.

Additionally, users should be cautious when running Azure CLI commands with parameter values that come from untrusted sources, such as web applications, configuration files, or user input. Users should also apply the latest security updates and patches for the Azure CLI and other software components.

Summary

CVE-2022-39327 is a critical code injection vulnerability that affects the Azure CLI on Windows machines with PowerShell. The vulnerability allows an attacker to execute arbitrary commands on the hosting machine by injecting malicious symbols in the parameter values of the Azure CLI command. Users should upgrade to the latest version of the Azure CLI or change the default shell to mitigate the vulnerability. Developers should follow secure coding practices and use secure libraries or frameworks to prevent similar vulnerabilities in the future.