Microsoft this week revealed a serious container-escape vulnerability to its widely used Azure service fabric technology, giving attackers a way to gain root access to the host node and occupy all other nodes in the cluster.
The privilege-escalation bug is only exploitable in Linux containers, although it is also present in Windows container environments, Microsoft said in a suggestion on Tuesday. Security researchers at Palo Alto Networks reported the bug – which they call FabricScape – on January 30, 2022, with fully effective exploitation. Microsoft has released a solution to this problem (CVE-2022-30137) June 14, but details about the bug were published this week.
The fix applies to all customers who subscribe to Microsoft’s auto-update service, but others need to be manually patched to the latest version of the service fabric. “Customers who have their Linux clusters updated automatically no longer need to take action,” the company said in a bug release.
A privilege-escalation issue
Service Fabric is a Microsoft container-orchestration technology – like Kubernets. Numerous organizations use it as a platform-to-service to deploy and manage container and microservice-based cloud applications across Clusters of machines. Palo Alto Networks estimates using Microsoft data that the service fabric hosts more than 1 million applications per day across millions of cores.
The bug discovered by Palo Alto Network exists in a logging function with high facilities in a service fabric component called Data Collection Agent (DCA). Researchers from the Security Vendor Unit 42 Threat Intelligence Team found that an attacker had entered a compromised vessel. Weaknesses can be exploited to increase advantages And gain control of the host node and avoid it from there and attack the whole cluster.
“Weakness allows attackers to occupy the entire service fabric environment if they hold a single application,” said Ariel Zelivansky, director of security research at the Palo Alto Network. This allows attackers to make lateral movements and steal, destroy or manipulate data. Other steps an attacker can take using Fabricscape include installing ransomware or a hijacking system for cryptocurrency.
“If an organization hosts all of its applications and possibly certificates to the service fabric, an attacker can gain all control of them,” Zelivansky said.
For an attack to be successful, a threat actor must first find a way to compromise a containerized workload on a Linux service fabric cluster, Microsoft said. The attacker must then trigger the DCA to run the weak function in a way that results in a so-called “race state” where malicious code can be introduced into the environment.
PoC: Error absorption
Researchers at the Palo Alto Network have been able to exploit the vulnerabilities of the Azure service fabric using a container under their control and a simulated compromised workload. They found that the attack works only when the compromised container has access to the service fabric runtime data – something that is offered by default in a single tenant environment but is less common in a multitenant setup.
“Any application that is run by a service fabric Linux cluster with runtime access, which is granted by default, is affected,” Zelivansky said. Last year, Palo Alto Networks discovered another set of vulnerabilities on the Azure Container Instances (ACI) platform that allowed similar containers to escape.
Microsoft has requested service fabric user organizations that have access to host clusters to review containerized workloads in both the Linux and Windows environments. “By default, a [Service Fabric] Cluster is a single-tenant environment and thus there is no separation between applications, “said Microsoft. All applications running in this single tenant environment are considered trustworthy and therefore have access to service fabric runtime,” Microsoft said.
Thus, companies that want to run untrusted applications in the service fabric cluster 7 Additional measures must be taken Access to service fabric runtime for those unreliable apps should be removed to create disconnection between applications, Microsoft said.
Zelivansky says the first level of defense against vulnerabilities such as Fabricscape is focusing on the application, limiting the likelihood of an attack by remedying vulnerabilities identified in their code. They may limit Internet exposure.
However, he does offer a warning: “But the reality is that while an application is safe from any known vulnerabilities, zero-day vulnerabilities can be discovered and exploited in any code. And [software] Supply-chain attacks such as typoscated or malicious packages are becoming more common than ever before, ”he said.
Zelivansky says companies running Linux service fabric clusters should check the cluster version and verify that the version is at least 9.0.1035.1. “Service Fabric should be checked by an organization to see if they have a Linux-based application. If the answer is yes, then we recommend giving the highest priority to dealing with this vulnerability as the full details have come out.”
Cloud vulnerabilities in the sights of cyber attackers
Weaknesses in cloud products and services have become a growing concern for companies – and not just because of the security risks associated with them. In many cases, companies also have a hard time keeping track of cloud vulnerabilities because of the absence of a general vulnerability calculation (CVE) program to list them. Since many cloud-security issues are considered the sole responsibility of service providers, often very little of these issues are disclosed, leaving companies in the dark about whether they could pose a specific threat.
This week, Wise researchers launched a new community-based cloud vulnerability database to address this lack of information. The database currently contains over 70 previous security information on cloud products and services. Anyone can add to the database going forward. The goal is to make it a central repository for cloud threat information in the absence of a formal program like MITRE’s CVE program for data protection flaws.
