March 28, 2024

Cybersecurity researchers from Palo Alto Networks Unit 42 disclosed details of a new security flaw affecting Microsoft’s Service Fabric that could be exploited to obtain elevated permissions and seize control of all nodes in a cluster.

The issue, which has been dubbed FabricScape (CVE-2022-30137), could be exploited on containers that are configured to have runtime access. It has been remediated as of June 14, 2022, in Service Fabric 9.0 Cumulative Update 1.0.

Azure Service Fabric is Microsoft’s platform-as-a-service (PaaS) and a container orchestrator solution used to build and deploy microservices-based cloud applications across a cluster of machines.

“The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster,” Microsoft said as part of the coordinated disclosure process.

“Though the bug exists on both Operating System (OS) platforms, it is only exploitable on Linux; Windows has been thoroughly vetted and found not to be vulnerable to this attack.”

A Service Fabric cluster is a network-connected set of several nodes (Windows Server or Linux), each of which are designed to manage and execute applications that consist of microservices or containers.

The vulnerability identified by Unit 42 resides in a component called Diagnostics Collection Agent (DCA) that’s responsible for gathering diagnostic information and relates to what’s called a “symlink race.”

In a hypothetical scenario, an attacker with access to a compromised containerized workload could substitute a file read by the agent (“ProcessContainerLog.txt”) with a rogue symbolic link that could then be leveraged to overwrite arbitrary any file considering DCA runs as root on the node.

“While this behavior can be observed on both Linux containers and Windows containers, it is only exploitable in Linux containers because in Windows containers unprivileged actors cannot create symlinks in that environment,” Unit 42 researcher Aviv Sasson said.

Code execution is subsequently achieved by taking advantage of the flaw to override the “/etc/environment” file on the host, followed by exploiting an internal hourly cron job that runs as root to import malicious environment variables and load a rogue shared object on the compromised container that grants the attacker a reverse shell in the context of root.

“In order to gain code execution, we used a technique called dynamic linker hijacking. We abused the LD_PRELOAD environment variable,” Sasson explained. “During the initialization of a new process, the linker loads the shared object that this variable points to, and with that, we inject shared objects to the privileged cron jobs on the node.

Although there is no evidence that the vulnerability has been exploited in real-world attacks to date, it’s crucial that organizations take immediate action to determine if their environments are susceptible and implement the patches.