Microsoft Corp. has issued a patch for a vulnerability in Service Fabric that allows attackers to gain root privileges on a node and then take over other nodes in a cluster.
Service Fabric hosts over one million applications and runs on millions of cores daily. It powers Azure services, including Azure Service Fabric, Azure SQL Database and Azure CosmosDB. Service Fabric is also found in other Microsoft products, including Cortana and Microsoft Power BI.
The vulnerability, dubbed “FabricScape,” was discovered by researchers at Palo Alto Network Inc.’s Unit 42 specifically in Azure Service Fabric, used in Azure to deploy private Service Fabric clusters in the cloud.
To exploit the vulnerability – CVE-2022-30137 – an attacker would need read/write access to the cluster and the ability to execute code with a Linux container with access to the Service Fabric runtime. The issue arises with a logging function with high privileges in Service Fabric’s Data Collection Agency component.
The researchers found that an attacker accessing a compromised containerized workload could substitute a file read by the agent with a rouge symbolic link. DCA runs as root on the node, so the link could be leveraged to overwrite any arbitrary file.
Interestingly, the vulnerability only affects Linux containers. On Windows containers, unprivileged actors cannot create symlinks in that environment.
It is noted that there is no evidence that the vulnerability has been exploited to date. However, the researchers recommend that organizations take immediate action to determine if they are exposed to the vulnerability and implement the patch.
“In targeting cloud-based applications using Microsoft Service Fabric, threat actors are once again finding opportunities (at scale) based on some percent of system operators not being on top of applying security updates and patches,” Bud Broomhead, chief executive officer of IoT cyber hygiene company Viakoo Inc., told SiliconANGLE. “Similar to vulnerabilities targeting open-source software components or IoT devices, hackers will succeed in cases where patching is not done automatically.”
“While there may be good reasons for an organization to not have security fixes implemented automatically (as Microsoft recommends), those same organizations must be prepared to react quickly and manually to high severity threats like this,” Broomhead explained. “Not being staffed or prepared to handle this task puts the application owner in a position where is can damage their reputation (e.g.customer data may be exfiltrated) or even invalidate their cyber insurance (for not maintaining security properly).”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.