The most recent Azure CLI Code Injection vulnerability is a rare and dangerous case. It’s not often that the most popular cloud platform client is vulnerable to such critical issues as code injection. Regardless overall high risk of injections by OWASP Top 10 and OWASP API Security Top 10, code injections are not common for cloud infrastructures and providers and usually hits 3rs party applications and APIs. The case of CVE-2022-39327 is a unique one.
For instance, the following command line will execute an arbitrary shell command “uname” instead of the setting value aaa1337|uname for the parameter name injection:
az keyvault secret set --vault-name default --name injection --value "aaa1337|uname"
Azure CLI before version 2.40.0 (October 2022) is vulnerable to code injections by parameter values provided by the external sources.
This issue is probably the most valuable code injection finding after the ShellShock vulnerability is the Bash interpreter.
Upgrade to Azure CLI 2.40.0 or greater.
As of Azure CLI 2.40.0, a new .ps1 entry script is used as the entry point to call Python rather than cmd.exe. This removes the opportunity for cmd.exe to interpret input as a command invocation. Using this approach has introduced new issues however that you can read about in the “More information” section.
Immediately upgrade to 2.41.0 or greater is required. The manually call the azps.ps1 entry script is necessary for some critical scenarios.
Microsoft team says, that they have reverted to using the cmd.exe entry script as the default while keeping the azps.ps1 entry script for manual Azure CLI calls if users require it.
The CVSSv3 score of the CVE-2022-32327 vulnerability in Azure CLI is 9.8 out of 10.0 possible, which makes it critical by the risk. Azure users should immediately upgrade to Azure CLI 2.40.0 or higher. Keep posted.