A spoofing vulnerability in Microsoft Azure Service Fabric can be exploited by attackers to gain admin privileges and take over Service Fabric clusters. Although there are not currently reports of this vulnerability being exploited in the wild, proof of concept (PoC) code for this attack vector does exist. Cloud security platform Orca Security first discovered this vulnerability in August and reported it to the Microsoft Security Response Center (MSRC), who claim this vulnerability is not publicly disclosed. However, Orca Security have released a blog post this week exploring this known PoC code for potential exploit of this vulnerability. 

Azure Service Fabric (SF) is a systems platform that helps developers create and managed cloud applications. It powers many Microsoft services, including Intune, Dynamics 365, Skype for Business, Cortana, Power BI, and multiple Azure services. SF clusters are created to establish a network of virtual or physical machines in which services are managed and deployed; each machine within a SF cluster is called a cluster node. Service Fabric Explorer (SFX) is an open-source tool for Azure administrators which allows them to manage and inspect these nodes and cloud applications within SF cluster environments.  

Spoofing vulnerability CVE-2022-35829, also known as FabriXss, occurs within the SFX, and could allow attackers to gain full administrator privileges, and take control of SF clusters. If an attacker can access a ‘Deployer’ type user account on SFX, they will have the opportunity to ‘Create New Applications’ from the dashboard. Creating new applications with a malicious name can manipulate the administrator permissions and perform various calls and actions. Attackers can perform a cluster node reset, which removes all customised passwords and security configurations, allowing them to create new passwords, giving themselves full administrator privileges.  

PoC code for an exploit of FabriXss shows the attack begins with a ‘user’ creating a new application using the CreateComposeApplication role on the SFX Dashboard UI. This requires the input of an application name, and a yaml file or manual template, which describes the cloud infrastructure, including versions, services, and ports. The application name field input is rendered by angular JS, which means if a payload is entered here, it will be executed. Researchers attempted to execute CSTI/SSTI (client-side template injection/server-side template injection) payloads in this field. However, this caused errors as although the ‘name’ was rendered as an angular JS expression, it was not being executed as one.  

Manipulation was needed of the payload code to execute a template expression via angular JS, as blank spaces and ‘$’ symbols were not accepted. By encoding the payload with HTML, then adding ‘#’ to escape, the payload can now be set to be the new application name and it will be executed when the application is created. This was now present in the name field, however cross-site scripting (XSS) injection is needed in order to perform the attack actions. By inspecting the html on the web page for the list of current applications, it was found that the application name is set within anchor (hyperlink) tags in the html. These can be escaped by composing a new application with various html tags in the name field, as well as the name of the original application that was first crafted. After creating this new application, and then inspecting the html on the page, researchers saw that although hidden from the UI application name, their new style tags were present in the html. 

The ability to escape the anchor tags allowed for a payload to be injected via XSS, enabling attacks to take place such as stealing the current user’s session cookies. Because administrators and non-admin ‘read-only’ users can use the SFX dashboard at the same time, attackers could potentially perform this attack as a non-admin user, while an administrator was also using the dashboard, and could steal the administrator’s session cookies. Once administrator permissions have been achieved, nodes within the cluster can be reset. This is done by sending a request for a hook file with a fetch function, fetch.html, from a remote server. When this file has been grabbed, it will trigger a fetch request to be sent to the Delete Node API Endpoint. Similar payloads can be delivered to other endpoints in further attacks, with no further need for encoding in the application name and then escaping different html functions. 

Despite the possibility of elevated privileges and loss of confidentiality that occurs in this attack, vulnerability CVE-2022-35829 has a ‘medium’ severity CVSS score. A range of base scores are recorded, from a 4.8 by NIST’s national vulnerability database (NVD) to a 6.2 by Microsoft. The reason for this low severity rating is due to the attacker requiring ‘CreateComposeDeployment’ permissions in SFX before they are able to perform an exploit attack. User interaction is also required for a successful attack, as the victim would need to click on the XSS payload in order for their browser on their machine to become compromised. 

An official patch for this vulnerability has been released as a part of Microsoft’s Patch Tuesday on 11th October. The version of SFX in use can be checked by looking at the URL. If it ends in old.html, this is vulnerable version SFXv1 and needs updating. If the URL ends in index.html, this is version SFXv2 and is the updated version containing the patch to fix this flaw. Microsoft have advised that SFXv2 is loaded by default on supported SF Runtime versions so using the most up to date Runtime is the best way to defend against this sort of attack. Unsupported versions of Service Fabric Runtime including versions 8.1.316 and below are vulnerable to exploit. Microsoft’s list of SF supported versions can be used to updated to the latest available version as soon as possible.