+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Microsoft Azure Vulnerability Exploit in SF Clusters

A spoofing vulnerability in Microsoft Azure Service Fabric can be exploited by attackers to gain admin privileges and take over Service Fabric clusters. Although there are not currently reports of this vulnerability being exploited in the wild, proof of concept (PoC) code for this attack vector does exist. Cloud security platform Orca Security first discovered this vulnerability in August and reported it to the Microsoft Security Response Center (MSRC), who claim this vulnerability is not publicly disclosed. However, Orca Security have released a blog post this week exploring this known PoC code for potential exploit of this vulnerability. 

 

Azure Service Fabric (SF) is a systems platform that helps developers create and managed cloud applications. It powers many Microsoft services, including Intune, Dynamics 365, Skype for Business, Cortana, Power BI, and multiple Azure services. SF clusters are created to establish a network of virtual or physical machines in which services are managed and deployed; each machine within a SF cluster is called a cluster node. Service Fabric Explorer (SFX) is an open-source tool for Azure administrators which allows them to manage and inspect these nodes and cloud applications within SF cluster environments.  

 

Spoofing vulnerability CVE-2022-35829, also known as FabriXss, occurs within the SFX, and could allow attackers to gain full administrator privileges, and take control of SF clusters. If an attacker can access a ‘Deployer’ type user account on SFX, they will have the opportunity to ‘Create New Applications’ from the dashboard. Creating new applications with a malicious name can manipulate the administrator permissions and perform various calls and actions. Attackers can perform a cluster node reset, which removes all customised passwords and security configurations, allowing them to create new passwords, giving themselves full administrator privileges.  

 

PoC code for an exploit of FabriXss shows the attack begins with a ‘user’ creating a new application using the CreateComposeApplication role on the SFX Dashboard UI. This requires the input of an application name, and a yaml file or manual template, which describes the cloud infrastructure, including versions, services, and ports. The application name field input is rendered by angular JS, which means if a payload is entered here, it will be executed. Researchers attempted to execute CSTI/SSTI (client-side template injection/server-side template injection) payloads in this field. However, this caused errors as although the ‘name’ was rendered as an angular JS expression, it was not being executed as one.  

 

Manipulation was needed of the payload code to execute a template expression via angular JS, as blank spaces and ‘$’ symbols were not accepted. By encoding the payload with HTML, then adding ‘#’ to escape, the payload can now be set to be the new application name and it will be executed when the application is created. This was now present in the name field, however cross-site scripting (XSS) injection is needed in order to perform the attack actions. By inspecting the html on the web page for the list of current applications, it was found that the application name is set within anchor (hyperlink) tags in the html. These can be escaped by composing a new application with various html tags in the name field, as well as the name of the original application that was first crafted. After creating this new application, and then inspecting the html on the page, researchers saw that although hidden from the UI application name, their new style tags were present in the html. 

 

The ability to escape the anchor tags allowed for a payload to be injected via XSS, enabling attacks to take place such as stealing the current user’s session cookies. Because administrators and non-admin ‘read-only’ users can use the SFX dashboard at the same time, attackers could potentially perform this attack as a non-admin user, while an administrator was also using the dashboard, and could steal the administrator’s session cookies. Once administrator permissions have been achieved, nodes within the cluster can be reset. This is done by sending a request for a hook file with a fetch function, fetch.html, from a remote server. When this file has been grabbed, it will trigger a fetch request to be sent to the Delete Node API Endpoint. Similar payloads can be delivered to other endpoints in further attacks, with no further need for encoding in the application name and then escaping different html functions. 

 

Despite the possibility of elevated privileges and loss of confidentiality that occurs in this attack, vulnerability CVE-2022-35829 has a ‘medium’ severity CVSS score. A range of base scores are recorded, from a 4.8 by NIST’s national vulnerability database (NVD) to a 6.2 by Microsoft. The reason for this low severity rating is due to the attacker requiring ‘CreateComposeDeployment’ permissions in SFX before they are able to perform an exploit attack. User interaction is also required for a successful attack, as the victim would need to click on the XSS payload in order for their browser on their machine to become compromised. 

 

An official patch for this vulnerability has been released as a part of Microsoft’s Patch Tuesday on 11th October. The version of SFX in use can be checked by looking at the URL. If it ends in old.html, this is vulnerable version SFXv1 and needs updating. If the URL ends in index.html, this is version SFXv2 and is the updated version containing the patch to fix this flaw. Microsoft have advised that SFXv2 is loaded by default on supported SF Runtime versions so using the most up to date Runtime is the best way to defend against this sort of attack. Unsupported versions of Service Fabric Runtime including versions 8.1.316 and below are vulnerable to exploit. Microsoft’s list of SF supported versions can be used to updated to the latest available version as soon as possible. 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.