CVE-2022-39327 - Code Injection Vulnerability in Azure CLI – What You Need to Know

Summary:  
A critical vulnerability (CVE-2022-39327) in Microsoft Azure CLI versions before 2.40. allows attackers to inject malicious code when certain parameters are used. If you’re running scripts or letting users set parameters, you may be at risk, especially on Windows machines with PowerShell. Here’s what you need to know, including a simple exploit demo, ways to fix it, and why immediate action matters.

What is Azure CLI?

Azure CLI is Microsoft’s command-line tool for managing Azure cloud resources. Developers and admins use it for automation, deployments, and scripting.

Platform: *Only impacts Windows when PowerShell is used*

- Trigger: Parameters passed to the CLI containing the characters & or | (shell operator symbols)
- Risk: If parameters come from an untrusted or dynamic source (like user input), an attacker can execute arbitrary commands.

Example Critical Scenario

Suppose you receive Azure CLI parameters (like VM names) from a web form, user input, or a config file you didn’t fully control, and you run them straight into a command on a Windows machine.

How the Exploit Works

When running Azure CLI commands on Windows with PowerShell, certain parameters are passed to a subprocess without strict sanitization. If & or | is present, PowerShell may interpret it as an instruction to run additional commands.

Attacker input: Let’s say you ask users for a resource group name, and someone enters this

myResourceGroup & whoami

Your script (unsafe)

import subprocess

resource_group = input("Enter resource group name: ")
command = f"az group show --name {resource_group}"
subprocess.run(command, shell=True)

On a vulnerable system, this would execute

az group show --name myResourceGroup & whoami

As a result, PowerShell launches the whoami command after the legitimate Azure CLI command, leaking your running user credentials.

> Any external, unchecked input with & or | could result in an attacker running arbitrary commands on the host machine!

The values can include & or |

*If any of these are not true, this vulnerability does not apply.*

Example - Evil Parameter in Automated Script

Suppose you have a script running nightly jobs, getting Azure VM names from a config maintained by a team. Someone accidentally or maliciously adds:

production01 & Remove-Item C:\important\data.txt

If your script does no validation and is running as admin, the attacker successfully deletes a critical file.

Upgrade Azure CLI!

- Update to version 2.40. or higher. The latest releases have fixed this vulnerability by properly sanitizing input parameters before shell execution.

Check your version

az --version

If it’s below 2.40.

pip install --upgrade azure-cli

Or, for MSI installer, download it from Azure CLI Install Page.

References

- GitHub Advisory – CVE-2022-39327
- Microsoft Security Advisory
- Azure CLI Release Notes 2.40.
- NIST NVD Entry

Conclusion

CVE-2022-39327 is a major risk for anyone scripting or automating Azure CLI operations on Windows. If you use external or dynamic parameters, an attacker could gain control of your host through a simple command-injection trick. The fix is simple: upgrade your Azure CLI and always validate input.

Stay safe: update now, and check your scripts for untrusted input paths!

If you found this post helpful, please share with teammates or anyone automating Azure with CLI on Windows – you might save someone from a major headache!

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 19:25:00 UTC