Cybersecurity researchers from Palo Alto Networks Unit 42 disclosed details of a new security flaw affecting Microsoft's Service Fabric that could be exploited to obtain elevated permissions and seize control of all nodes in a cluster.
The issue, which has been dubbed FabricScape (CVE-2022-30137), could only be weaponized on containers that are configured to have runtime access. It has been remediated as of June 14, 2022, in Service Fabric 9.0 Cumulative Update 1.0.
Azure Service Fabric is Microsoft's platform-as-a-service (PaaS) and a container orchestrator solution used to build and deploy microservices-based cloud applications across a cluster of machines.
"The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource's host SF node and the entire cluster," Microsoft said as part of the coordinated disclosure process. "Though the bug exists on both Operating System (OS) platforms, it is only exploitable on Linux; Windows has been thoroughly vetted and found not to be vulnerable to this attack."
A Service Fabric cluster is a network-connected set of several nodes (Windows Server or Linux), each of which are designed to manage and execute applications that consist of microservices or containers.
The vulnerability identified by Unit 42 resides in a component called Diagnostics Collection Agent (DCA) that's responsible for gathering container log information and relates to what's called a "symlink race."
In a demonstrated proof-of-concept (PoC) exploit, an attacker already with access to a containerized workload could substitute a file read by the agent ("ProcessContainerLog.txt") with a rogue symbolic link that could then be leveraged to overwrite any arbitrary file considering DCA runs as root on the node.
"While this behavior can be observed on both Linux containers and Windows containers, it is only exploitable in Linux containers because in Windows containers unprivileged actors cannot create symlinks in that environment," Unit 42 researcher Aviv Sasson said.
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!Don't Miss Out – Save Your Seat!
Code execution is subsequently achieved by taking advantage of the flaw to override the "/etc/environment" file on the host, followed by exploiting an internal hourly cron job that runs as root to import malicious environment variables and load a rogue shared object on the compromised container that grants the attacker a reverse shell in the context of root.
"In order to gain code execution, we used a technique called dynamic linker hijacking. We abused the LD_PRELOAD environment variable," Sasson explained. "During the initialization of a new process, the linker loads the shared object that this variable points to, and with that, we inject shared objects to the privileged cron jobs on the node.
Although there is no evidence that the vulnerability has been exploited in real-world attacks to date, it's crucial that organizations take immediate action to determine if their environments are susceptible and implement the patches.
Microsoft has also urged organizations using the service to review containerized workloads in both Linux and Windows environments and take additional measures to create isolation modes when considering hosting untrusted applications and remove their access to the Service Fabric runtime.