Hacking Azure Functions to break out of Docker

[German]Vulnerabilities in Microsoft Azure Functions can be exploited to escalate privileges and then also break out Docker containers. It affects Microsoft Azure Cloud Functions if Docker containers are used.


The security issue came under my eye this week – I had noticed it in passing on The Hacker News in this post, but then came across this article linked within the following tweet.  

Hacking Microsoft Azure:  to escape Docker

What is Azure Functions?

Azure Functions  is a serverless computing service that lets users run code without having to deploy or manage infrastructure. Azure Functions is Microsoft's equivalent of Amazon Web Services' well-known Lambda service, the folks at interzer.com write. Microsoft documentation is available here.

Azure Functions can be triggered by HTTP requests and is said to run for just a few minutes to process the event. Behind the scenes, the user's code is run and served in an Azure-managed container without the user having to manage their own infrastructure. In fact, this code should be securely segmented and unable to break out of its confined environment.

Breaking out of the Azure docker container

However, security researcher Paul Litvak has uncovered a vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape from the Docker container in which they are hosted. He described the technical details in the intezer.com blog post mentioned above. 


(Source: Youtube)

In a proof-of-concept (PoC), Litvak was able to execute a PowerShell command on the host from within a Docker container (see video above). After disclosure to Microsoft, there was feedback "that the vulnerability had no security impact on Functions users, as the host itself was still protected against the elevated position by another defensive boundary."

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *