Microsoft Warns of Vuln That Allowed Access to Azure Infrastructure

Microsoft ran a five-year-old component that allowed vulnerability researchers to punch through the isolation that normally protects cloud tenants, researchers found.

A set of vulnerabilities in the Azure Container Instances (ACI) platform could have allowed users to escape their particular instance and gain control of the container-as-a-service (CaaS) infrastructure, Palo Alto Networks researchers reported on September 9.
The attack exploited a two-year-old vulnerability in a component of container infrastructure that is used to create new containers and run them. Exploiting the vulnerability allowed Palo Alto Networks vulnerability researchers to escape from Azures multi-tenant public cloud environment and gain control of the Kubernetes management system.
This is the first time that a complete takeover of a public cloud system has been demonstrated, says Ariel Zelivansky, leader of Palo Alto Networks Unit 42 cloud research team.
What we found is a vulnerability that escalates privileges to a cluster administrator which gives you access to anything you want in Kubernetes, he says. It is essentially the Holy Grail of cloud security attacks.
The vulnerabilities, which Palo Alto Networks dubbed Azurescape, were patched by Microsoft in late August after being notified by the security firm. Microsoft issued notifications to customers whose containers resided in the same clusters as the researchers cloud infrastructure, the company
stated in an advisory
.
Our investigation surfaced no unauthorized access to customer data, Microsoft said. Out of an abundance of caution we notified customers with containers running on the same clusters as the researchers via Service Health Notifications in the Azure Portal.
Researchers discovered the issue by analyzing Azures infrastructure using a container image known as WhoC, which uses analysis and security weaknesses to gather information about the hosts container runtime. When researchers ran the container image in Microsofts Azure service, they were surprised to find that Microsoft continued to use a five-year-old version of RunC.
Once we discovered the presence of this old version of runC in ACI, we took the PoC container image developed then, polished it and deployed it to ACI, the researchers
stated in a technical post on their findings
. We successfully broke out of our container and gained a reverse shell running as root on the underlying host, which turned out to be a Kubernetes node.
Using their access to the environment, which continued to limit them to a single tenant space, researchers then reconnoitered using a variety of test containers and tools, finding that the Kubernetes clusters were running older versions of the software with known vulnerabilities. The Palo Alto Networks team used the vulnerabilities to gain administrator rights on the cluster of systems.
In
a blog post
, Palo Alto Networks characterized the flaw as the first known vulnerability that could enable one user of a public cloud service to break out of their environment and execute code on environments belonging to other users in the same public cloud service.
In late August, cloud-security firm Wiz.io
discovered a vulnerability in how Microsoft Azure
deployed the Jupyter Notebooks data analysis environment to users of its Cosmos DB database service, resulting in inadvertently giving users the ability to escape from their environment and access the data of other Cosmos DB users.
However, that attack did not give the researchers the ability to control the host systems, which the Azurescape attack chain does, Zelivansky says.
A complete takeover has not been achieved before in the public cloud ever, he says. There have been data leaks and accessing other tenants information, but we are able to execute code in the context of other organizations ... and on the platform itself.
While companies and cloud users can do little to prevent the exploitation of such vulnerabilities—that is the purview of the cloud provider—they can detect the abuse of the cloud infrastructure, Zelivansky says. He recommended that companies analyzing their containers running in cloud infrastructure be aware of containers acting strangely. Cryptominers, the most common payload in such environments, are easy to detect if companies are looking at the runtime behavior.
Microsoft recommended that companies notified as potentially affected by the vulnerability should revoke and rotate any administrative credentials issued before August 31, 2021.
If you have any concerns, rotating privileged credentials is a good periodic security practice and would be an effective precautionary measure, the company stated in its advisory.
In addition, companies should also follow the
Azure security baseline practices for containers
, Microsoft said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Warns of Vuln That Allowed Access to Azure Infrastructure