Patch Now: Linux Container-Escape Flaw in Azure Service Fabric

  /     /     /  
Publicated : 23/11/2024   Category : security


Patch Now: Linux Container-Escape Flaw in Azure Service Fabric


Microsoft is urging organizations that dont have automatic updates enabled to update to the latest version of Linux Server Fabric to thwart the FabricScape cloud bug.



Microsoft this week disclosed a serious container-escape vulnerability in its widely used Azure Service Fabric technology, which gives attackers a way to gain root privileges on the host node and take over all other nodes in the cluster.
The privilege-escalation bug is only exploitable on Linux containers, though it is present in Windows container environments as well, Microsoft said in an advisory Tuesday. Security researchers from Palo Alto Networks reported the bug — which they have dubbed FabricScape — along with a fully operational exploit, on Jan. 30, 2022. Microsoft released a fix for the issue (
CVE-2022-30137
) on June 14, but details on the bug were just released this week.
The fix has been applied to all customers that are subscribed to Microsofts automatic update service, but others will need to manually patch to the latest version of Service Fabric. Customers whose Linux clusters are automatically updated do not need to take further action, the company said in its bug disclosure announcement.
Service Fabric is a Microsoft container-orchestration technology — like Kubernetes. Numerous organizations use it as a platform-as-a-service to deploy and manage containers and microservices-based cloud applications across a
cluster of machines
. Palo Alto Networks used Microsoft data to estimate that Service Fabric hosts more than 1 million applications daily across millions of cores.
The bug that Palo Alto Network discovered exists in a logging function with high privileges in a Service Fabric component called Data Collection Agent (DCA). Researchers from the security vendors Unit 42 threat intelligence team found that an attacker with access to a compromised container
could exploit the vulnerability to escalate privileges
and gain control of the host node and, from there, escape it and attack the entire cluster.
The vulnerability allows attackers to take over the entire Service Fabric environment if they get a hold of a single application, says Ariel Zelivansky, director of security research at Palo Alto Networks. This allows attackers to perform lateral movement and to steal, destroy, or manipulate data. Other actions that an attacker could take by exploiting FabricScape include deploying ransomware or hijacking systems for cryptomining.
If an organization hosts all of its applications, and possibly credentials, on Service Fabric, an attacker can gain control of all of those, Zelivansky says.
For an attack to be successful, a threat actor would first need to find a way to compromise a containerized workload on a Linux Service Fabric cluster, Microsoft said. The attacker would then need to trigger the DCA to run the vulnerable function in a manner that results in a so-called race condition where malicious code can be introduced into the environment.
Researchers at Palo Alto Networks were able to exploit the vulnerability on Azure Service Fabric using a container under their control and a simulated compromised workload. They found the attack only worked if the compromised container had access to Service Fabric runtime data — something that is granted by default in single-tenant environments but less common in multitenant setups.
Any application that is powered by a Service Fabric Linux cluster with runtime access, which is granted by default, is affected, Zelivansky said. Last year, Palo Alto Networks discovered another set of
vulnerabilities in the Azure Container Instances
(ACI) platform that allowed for a similar container escape.
Microsoft urged organizations using Service Fabric to review containerized workloads in both Linux and Windows environments that had access to host clusters. By default, a [Service Fabric] cluster is a single-tenant environment and thus there is no isolation between applications, Microsoft said. All applications running in these single tenant environments are considered trusted and therefore have access to Service Fabric runtime, Microsoft said.
Thus, organizations that want to run untrusted application in a Service Fabric cluster
should take additional measures
to create isolation between applications and should remove access to Service Fabric runtime for those untrusted apps, Microsoft said.
Zelivansky says the first layer of defense against vulnerabilities such as FabricScape is focusing on the application itself, limiting the possibility of an attack by remediating known vulnerabilities in their code. They can also limit exposure to the Internet.
However, he offers a caveat: But the reality is that even if an application is safe from any known vulnerability, zero-day vulnerabilities could be discovered and exploited in any code. And [software] supply-chain attacks such as
typosquatted or malicious packages
are becoming more common than before, he says.
Zelivansky says organizations running Linux Service Fabric clusters should check their cluster version and verify the version is at least 9.0.1035.1. An organization should check if they have Linux-based applications on Service Fabric. If the answer is yes, we recommend giving top priority to addressing this vulnerability now that its full details are out.
Vulnerabilities in cloud products and services have become a growing concern for organizations — and not just because of the security risks associated with them. In many cases, organizations also have a hard time keeping track of cloud vulnerabilities because of the absence of a common vulnerability enumeration (CVE) program for cataloging them. Because many cloud-security issues are considered the service providers sole responsibility, there often has been little disclosure of these issues, leaving organizations in the dark about whether they might have been exposed to a specific threat.
This week researchers at Wiz launched a new
community-based cloud vulnerability database
aimed at addressing this lack of information. The database currently contains information on some 70 previous security issues in cloud products and services. Anyone can add to the database going forward. The goal is to make it a central repository for information on cloud threats in the absence of a formal program like MITREs CVE program for information security flaws.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Patch Now: Linux Container-Escape Flaw in Azure Service Fabric