CVE-2023-36052: Microsoft Addresses Critical Azure Vulnerability

Microsoft has released a security update to address a critical vulnerability in the Azure CLI that could be exploited by attackers to recover plaintext passwords and usernames from log files created by the affected CLI commands. The vulnerability, tracked as CVE-2023-36052, enables unauthenticated attackers to remotely access plain text contents written by Azure CLI to Continuous Integration and Continuous Deployment (CI/CD) logs.

What is the vulnerability?

The vulnerability is caused by an error in the way that the Azure CLI handles sensitive information. As a result, attackers can exploit the vulnerability to gain access to plaintext passwords and usernames that are stored in log files.

What are the potential risks of the vulnerability?

If an attacker were to exploit the vulnerability, they could gain access to sensitive information such as passwords and usernames. This information could then be used to compromise other systems or to steal data.

How can I protect myself from the vulnerability?

The best way to protect yourself from the CVE-2023-36052 vulnerability is to update your Azure CLI to the latest version (2.54). You can also take the following steps to reduce your risk:

• Do not store sensitive information in log files.
• Use strong passwords and usernames.
• Enable two-factor authentication.

What is Microsoft doing to address the vulnerability?

Microsoft has released a security update to address the vulnerability. The company has also implemented a new Azure CLI default configuration to bolster security measures, aiming to prevent accidental disclosure of sensitive information.

In addition to the above, Microsoft also recommends the following:

1. Always update Azure CLI to the latest release to receive the most recent security updates.
2. Avoid exposing Azure CLI output in logs and/or publicly accessible locations. If developing a script that requires the output value, ensure that you filter out the property needed for the script. Please review Azure CLI information regarding output formats and implement our recommended guidance for masking an environment variable.
3. Rotate keys and secrets on a regular basis. As a general best practice, customers are encouraged to regularly rotate keys and secrets on a cadence that works best for their environment. See our article on key and secret considerations in Azure here.
4. Review the guidance around secrets management for Azure services.
5. Review GitHub best practices for security hardening in GitHub Actions.
6. Ensure GitHub repositories are set to private unless otherwise needed to be public.
7. Review our guidance for securing Azure Pipelines