Attackers could exploit a now-patched spoofing vulnerability in Service Fabric Explorer to gain admin privileges and hijack Azure Service Fabric clusters.
Service Fabric is a platform for business-critical applications that hosts over 1 million apps and powers many Microsoft products, including but not limited to Microsoft Intune, Dynamics 365, Skype for Business, Cortana, Microsoft Power BI, and multiple core Azure services.
Service Fabric Explorer (SFX), an open-source tool that can be used as a hosted solution or as a desktop app, allows Azure admins to manage and inspect nodes and cloud applications in Azure Service Fabric clusters.
Orca Security found an SFX spoofing flaw (CVE-2022-35829) dubbed FabriXss that could enable potential attackers to gain full Administrator permissions and take over Service Fabric clusters.
“We found that a Deployer type user with a single permission to ‘Create new Applications’ via the dashboard, can use this single permission to create a malicious application name and abuse the Administrator permissions to perform various calls and actions,” Orca Security explained.
“This includes performing a Cluster Node reset, which erases all customized settings such as passwords and security configurations, allowing an attacker to create new passwords and gain full Administrator permissions.”
No in-the-wild exploitation
Orca Security reported the vulnerability to the Microsoft Security Response Center (MSRC) on August 11 and Microsoft issued security updates to address the flaw during this month’s Patch Tuesday on October 11.
A proof of concept FabriXss exploit is available in Orca Security’s blog post alongside additional technical details.
Microsoft says FabriXss exploits can only be used in attacks targeting older, unsupported versions of Service Fabric Explorer (SFXv1), with the current default SFX web client (SFXv2) not being vulnerable to attacks.
“However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web client version (SFXv1),” Microsoft says.
“The issue requires an attacker to already have code deployment and execution privileges in the Service Fabric cluster and for the target to use the vulnerable web client (SFXv1).”
While Redmond has found no evidence that FabriXss has been abused in attacks, it advises all Service Fabric customers to upgrade to the latest SFX version and not switch to the vulnerable SFXv1 web client version.
According to Microsoft, an upcoming Service Fabric release will also remove SFXv1 and the option to switch to it.
In June, Microsoft also fixed a Service Fabric container escape bug dubbed FabricScape that allowed threat actors to escalate privileges to root and gain control of the host node, compromising the entire SF Linux cluster.
Source: https://www.bleepingcomputer.com/news/security/microsoft-azure-sfx-bug-let-hackers-hijack-service-fabric-clusters/
