[German]Security researchers from Palo Alto Networks have encountered a container escape vulnerability in Microsoft's Service Fabric, which they then named FabricScape. The vulnerability allowed container escapes in Microsoft's Service Fabric, which is commonly used with Azure. Palo Alto Networks has partnered with Microsoft to address this vulnerability.
Advertising
I came across this fact about the Container Escape vulnerability (CVE-2022-30137) in Microsoft's Service Fabric via the following tweet, which is described in more detail in the article FabricScape: Escaping Service Fabric and Taking Over the Cluster. The title says it all: By escaping from Microsoft Azure hosted containers via Microsoft's Service Fabric, the vulnerability (CVE-2022-30137) could take over entire clusters.
here is a second post Uncovering FabricScape that summarizes the details somewhat. Security researchers at Unit 42 identified a vulnerability of significant severity in Microsoft's Service Fabric with FabricScape (CVE-2022-30137). The software is commonly used with Azure – and the vulnerability allows Linux containers to escalate privileges. This allows root privileges to be gained on the node, and the attacker then has everything they need to compromise the nodes in the cluster. The vulnerability could be exploited on containers configured for runtime access, which is granted to every container by default.
Service Fabric hosts more than 1 million applications and runs on millions of cores daily, according to Microsoft. It powers many Azure offerings, including Azure Service Fabric, Azure SQL Database and Azure CosmosDB, as well as other Microsoft products such as Cortana and Microsoft Power BI.
Using a container controlled by the security researchers to simulate a compromised workload, they were able to exploit the vulnerability in Azure Service Fabric. However, some other attempts to exploit the vulnerability in Azure offerings based on managed multi-tenant service fabric clusters failed. The background is that Microsoft disables runtime access to containers of these offerings.
Advertising
Palo Alto Networks security researchers worked closely with Microsoft (MSRC) to fix the issue. The vulnerability was fully fixed on June 14, 2022. Microsoft released a patch for Azure Service Fabric to address the issue. The patch has already mitigated the issue in Linux clusters. In addition, internal production environments of offerings and products powered by Service Fabric have also been updated.
The security researchers advise customers running Azure Service Fabric without automatic updates enabled to update their Linux clusters to the latest version of Service Fabric. Customers whose Linux clusters are automatically updated need take no further action. Both Microsoft and Palo Alto Networks recommend avoiding running untrusted applications in Service Fabric.
Although there are no known attacks in the wild that have successfully exploited this vulnerability, organizations are strongly advised to take immediate action to determine if their environments are vulnerable and quickly implement patches if necessary. Details can be read here.
