Microsoft has announced that it has repaired a vulnerability of significant severity in Microsoft’s Service Fabric, an infrastructure project designed to host applications on containers and virtual machines that supports many Azure and Microsoft services.
The vulnerability was discovered by Palo Alto Networks’ Unit 42 cloud threat research team. Detailed information about FabricScape and its effects can be found in this article. A more technical analysis is included in this blog of Unit 42.
- The vulnerability, named FabricScape, affects Service Fabric, which many companies rely on for cloud deployments.
- After it was reported to Microsoft, Unit 42 teamed up with Microsoft to develop a solution.
- This vulnerability allowed hackers to take over all containers in a single cluster by “escaping” from a single compromised container.
The analysis was conducted as part of ongoing efforts by Palo Alto Networks and Unit 42 to improve the security of public clouds. The security professionals continuously analyze open source software and cloud infrastructure to identify new vulnerabilities and emerging threats.
Unit 42 researchers identified FabricScape (CVE-2022-30137), a vulnerability of significant severity in Microsoft’s Service Fabric – commonly used with Azure – that allows Linux containers to escalate their privileges to gain root privileges on the node, and then compromise all of the nodes in the cluster. The vulnerability could be exploited on containers configured for runtime access, which is granted to each container by default.
According to Microsoft, Service Fabric hosts more than 1 million applications and runs millions of cores every day. It supports many Azure offerings, including Azure Service Fabric, Azure SQL Database, and Azure CosmosDB, as well as other Microsoft products, including Cortana and Microsoft Power BI.
Using a container under our control to simulate a compromised workload, we were able to exploit the vulnerability in Azure Service Fabric, an Azure offering that provides private Service Fabric clusters in the cloud. Some other attempts to exploit the Azure offerings operated by managed multi-instance Service Fabric clusters have failed because Microsoft has disabled runtime access to containers of these offerings.
Palo Alto Networks has worked closely with Microsoft to resolve the issue. Microsoft has released a patch for Azure Service Fabric that has already mitigated the problem in Linux clusters and has also updated internal production environments of offerings and products powered by Service Fabric.
Palo Alto Networks recommends that organizations running Azure Service Fabric without automatic updates enabled upgrade their Linux clusters to the latest Service Fabric version. Companies whose Linux clusters are updated automatically do not need to take any further action.
Both Microsoft and Palo Alto Networks recommend avoiding running untrusted applications in Service Fabric.