Microsoft Corp. has issued a patch for a vulnerability in Service Fabric that allows attackers to gain root privileges on a node and then take over other nodes in a cluster.
Service Fabric hosts more than 1 million applications and runs on millions of cores daily. It powers Azure services, including Azure Service Fabric, Azure SQL Database and Azure CosmosDB. Service Fabric is also found in other Microsoft products, including Cortana and Microsoft Power BI.
The vulnerability, dubbed “FabricScape,” was discovered by researchers at Palo Alto Network Inc.’s Unit 42 specifically in Azure Service Fabric, which is used in Azure to deploy private Service Fabric clusters in the cloud. It was publicized Tuesday.
To exploit the vulnerability, named CVE-2022-30137, an attacker would need read/write access to the cluster and the ability to execute code with a Linux container with access to the Service Fabric runtime. The issue arises with a logging function with high privileges in Service Fabric’s Data Collection Agency component.
The researchers found that an attacker accessing a compromised containerized workload could substitute a file read by the agent with a rouge symbolic link. DCA runs as root on the node, so the link could be leveraged to overwrite any arbitrary file.
Interestingly, the vulnerability only affects Linux containers. On Windows containers, unprivileged actors cannot create symlinks in that environment.
There’s no evidence that the vulnerability has been exploited to date. However, the researchers recommend that organizations take immediate action to determine if they’re exposed to the vulnerability and implement the patch.
“In targeting cloud-based applications using Microsoft Service Fabric, threat actors are once again finding opportunities (at scale) based on some percent of system operators not being on top of applying security updates and patches,” Bud Broomhead, chief executive officer of “internet of things” cybersecurity hygiene company Viakoo Inc., told SiliconANGLE. “Similar to vulnerabilities targeting open-source software components or IoT devices, hackers will succeed in cases where patching is not done automatically.”
Although he explained that there may be good reasons for an organization not to have security fixes implemented automatically, as Microsoft recommends, those same organizations must be prepared to react quickly to high-severity threats such as this. “Not being staffed or prepared to handle this task puts the application owner in a position where it can damage their reputation, for example customer data may be exfiltrated, or even invalidate their cyber insurance for not maintaining security properly.”