Now-patched Azure Opens Up a Door to Remote Takeover Attacks

Highlights:

• According to Orca, exploiting the Azure flaw grants threat actors full administrator access to a Service Fabric cluster.
• CVE-2022-35829, also known as FabriXss, was discovered by Orca Security’s research team.

Microsoft Corp.’s Azure was found to have a previously undiscovered vulnerability that permitted remote code execution by attackers, according to cloud cybersecurity company Orca Security Ltd.

The “Super FabriXss” flaw, which showed how to escalate a mirrored cross-site scripting vulnerability in Azure Service Fabric Explorer, was demonstrated at BlueHat IL 2023. The example shows how unauthorized Remote Code Execution may take advantage of the metrics tab to activate a particular toggle in the console, the “Cluster Type” toggle.

Cross-site scripting, or XXS, a vulnerability known as Super FabriXss, affects Azure Service Fabric Explorer, claims Orca. Remote, unauthenticated attackers can commandeer a container hosted on a Service Fabric node to run code.

Without needing authentication, remote code execution on a container hosted on a Service Fabric node can be accomplished via the XSS vulnerability. The XSS flaw becomes a full RCE vulnerability when a user clicks on a specially constructed malicious link and changes the “Cluster” Event Type setting under the Events tab.

The vulnerability has to be exploited in two steps. In the first, an embedded iframe is used to start a fetch request. Afterward, the attacker’s malware uses the upgrade procedure to replace the current deployment with a new, malicious one. The new deployment’s Dockerfile contains a CMD command to download a remote.bat file.

After the .bat file is downloaded, and run, it then looks for another file with an encoded reverse shell. The attacker can take over the cluster node hosting the container by using the reverse shell to obtain remote access to the target system.

The vulnerability was disclosed to the Microsoft Security Response Center by Orca Security prior to making it public. After looking into the problem, Microsoft gave it the CVE-2023-23383 designation and a Common Vulnerability Scoring System score of 8.2, which denotes “important” severity. After that, Microsoft issued a remedy incorporated with the most current March 2023 Patch Tuesday release.

The vulnerable version of Service Fabric Explorer is 9.1.1583.9590 or earlier. The Orca researchers advise users to upgrade Service Fabric Explorer if they still need to to prevent exposure.