Cybersecurity researchers from Palo Alto Networks Unit 42 revealed details of a new security flaw affecting Microsoft’s Service Fabric that can be exploited by malicious people to gain elevated permissions and take control of all nodes in a cluster.
The problem, which is called FabricScape (CVE-2022-30137), can be exploited on containers configured to runtime access† It has been recovered from June 14, 2022, in Service Fabric 9.0 Cumulative Update 1.0†
Azure Service Fabric is Microsoft’s platform-as-a-service (Easter) and a container orchestrator solution used to build and deploy microservices-based cloud applications on a cluster of machines. “The vulnerability allows an attacker, with access to a compromised container, to escalate privileges and take control of the resource’s host SF node and the entire cluster,” Microsoft said. said as part of the coordinated disclosure process.
“While the bug exists on both operating systems (OS), it can only be exploited on Linux; Windows has been thoroughly vetted and found not to be vulnerable to this attack.”
A Service Fabric cluster is a network-connected set of different nodes (Windows Server or Linux), each designed to manage and run applications made up of microservices or containers.
The vulnerability identified by Unit 42 resides in a component called Diagnostics Collection Agent (DCA) which is responsible for collecting diagnostic information and pertains to what a “symbolic race†
In a hypothetical scenario, an attacker with access to a compromised containerized workload could replace a file read by the agent (“ProcessContainerLog.txt”) with a rogue symbolic link that could then be used to overwrite any file, since DCA is root is executed on the node.
“While this behavior can be observed on both Linux containers and Windows containers, it can only be exploited in Linux containers because unauthorized actors in Windows containers cannot create symlinks in that environment,” said Unit 42 researcher Aviv Sasson.
Code execution is then accomplished by using the error to get the “/etc/environment” file on the host, followed by exploiting an internal hourly cron job which runs as root to import malicious environment variables and load a rogue shared object on the compromised container giving the attacker a reverse shell in the context of root.
“To get code execution, we used a technique called dynamic left hijack† We abused the LD_PRELOAD environment variable,” explains Sasson. “During the initialization of a new process, the linker loads the shared object referenced by this variable, thereby injecting shared objects into the privileged cron jobs on the node.
While there is no evidence to date that the vulnerability has been exploited in real-world attacks, it is critical that organizations take immediate action to determine if their environments are susceptible and deploy the patches.