Details of a new security flaw discovered by Palo Alto Networks Unit 42 have been made public, allowing hackers to gain elevated privileges and seize control of all nodes in a cluster.
FabricScape (CVE-2022-30137) is a vulnerability that can be exploited on containers with runtime access. It has been fixed in Service Fabric 9.0 Cumulative Update 1.0, which was released on June 14, 2022.
It is Microsoft's PaaS and container orchestrator solution for building and deploying microservices-based cloud applications across a cluster of machines, such as the Azure Service Fabric platform.
For an attacker to gain full control of the host SF node and the entire cluster, "the vulnerability requires access to a compromised container," Microsoft said in a statement as part of the coordinated disclosure process. Even though a bug exists on both operating systems, it is only exploitable on Linux; Windows has been thoroughly vetted and found to be invulnerable.
In a Service Fabric cluster, there are several nodes (Windows Server or Linux), each of which is designed to manage and run microservices or containers.
A "symlink race" is the term used to describe the vulnerability found by Unit 42 in a component called Diagnostics Collection Agent (DCA), which is responsible for gathering diagnostic information.
Because DCA runs as root on the node, it's possible for an attacker who gains access to a compromised containerized workload to replace a legitimate symbolic link in the file "ProcessContainerLog.txt" with an evil one.
Despite the fact that "this behavior can be observed on both Linux containers and Windows containers," Unit 42 researcher Aviv Sasson explained, "it is only exploitable in Linux containers because in Windows containers unprivileged actors cannot create symlinks."
Once the flaw has been exploited to override the host's "/etc/environment" file, code execution can be achieved by loading a rogue shared object on the compromised container, which grants the attacker a reverse shell in the context of root via an hourly internal cron job.
"We used a technique called dynamic linker hijacking in order to gain code execution. "We were abusing the LD PRELOAD environment variable," Sasson admitted. "We inject shared objects into the privileged cron jobs on the node when the linker loads the shared object pointed to by this variable during the initialization of a new process.
The vulnerability has not yet been exploited in the wild, but organizations must act immediately to see if their environments are at risk and apply the patches that have been released.
Post a Comment
Your suggestions and comments are welcome