Microsoft Azure FabricScape bug let hackers hijack Linux clusters

In the Service Fabric (SF) application hosting platform, Microsoft has resolved a container escape problem known as FabricScape that allowed malicious user to escalate privileges to root, take over the host node, and compromise the entire SF Linux cluster.

Azure Service Fabric is Microsoft’s Platform-as-a-Service (PaaS), used to create and roll out cloud applications with a microservices architecture. However, understanding the transition from monolithic programmes to microservices-based apps is crucial before we can comprehend Azure Service Fabric. Additionally, it supports a wide range of Microsoft products, including as Dynamics 365, Skype for Business, Cortana, Microsoft Power BI, Azure SQL Database, Azure Cosmos DB, Microsoft Intune, Azure Event Hubs, and Azure IoT Hub.

As part of the coordinated disclosure process, Microsoft stated that the flaw “allows a malicious actor, given access to a compromised container, to escalate privileges and acquire control of the resource’s host SF node and the entire cluster.” Despite being present on both Operating System (OS) platforms, the flaw can only be used against Linux, Windows has been thoroughly tested and has been found to be immune to this exploit.

Details on a significant security flaw in Microsoft’s Service Fabric that may be used to gain enhanced permissions and take over all the nodes in a cluster was revealed by Palo Alto Networks Unit 42’s cybersecurity researchers.

FabricScape (CVE-2022-30137) is a vulnerability that could be used against containers that are set up to have runtime access. As of June 14, 2022, it has been fixed in Service Fabric 9.0 Cumulative Update 1.0.

High-level summary given by Microsoft:

Step 1: A containerized workload that has been deployed by the owner of a Linux SF cluster must first be compromised by an attacker.

Step 2: An index file read by DCA could be replaced with a symlink by malicious code running inside the container.

An attacker could take control of the machine hosting the SF node by launching a subsequent timing attack.

An attacker with access to a compromised containerized workload might substitute an unauthorized symbolic link for a file that the agent reads (ProcessContainerLog.txt), which could subsequently be used to overwrite any arbitrary file given that DCA runs as root on the node.

Although both Linux and Windows containers exhibit this behavior, only Linux containers can be exploited since unprivileged actors are unable to make symbolic links in Windows containers, according to Unit 42 researcher Aviv Sasson.

 

Mitigation by Microsoft

The privilege escalation flaw in the SF runtime was fixed on May 24th, 2022, and automated upgrades for customers were enabled. Specifically, the SF Diagnostics Collection Agent (DCA) was modified so that it no longer consumes user-generated files placed in the container’s log folder.

As of June 9, 2022, Microsoft have updated our public security advice to include information on the repercussions of hosting compromised containers or running untrusted programmes.

CVE-2022-30137 was released on June 14, 2022, and clients were given the fixes via automatic updates. Through Azure Service Health, customers without automatic upgrades received portal notifications.

 

Remediation:

Customers using older versions of Azure Service Fabric can update their Linux clusters to the most recent Service Fabric release by enabling automatic upgrades. Customers with automatically updated Linux clusters don’t need to do anything else.

Apart from this customers are recommended against execution of untrusted applications in Service Fabric.