High-severity Microsoft bug opened door to container cluster hijacking

After being tipped off by cybersecurity researchers from Unit 42, a division of Palo Alto Networks, Microsoft has pushed out a patch for a high-severity vulnerability found in Service Fabric.

Publishing a blog post to explain what happened, Microsoft said the vulnerability allowed potential threat actors to obtain rook privileges on a node, further allowing them full takeover of other nodes in the cluster.

Tracked as CVE-2022-30137, the flaw has been dubbed “FabricScape” and is present only in Linux containers. Windows seems to have dodged the bullet, as unprivileged actors cannot create symlinks on the OS.

Accessing containerized workloads

Microsoft describes Service Fabric as the company’s “container orchestrator for deploying and managing microservices across a cluster of machines.” 

Service Fabric is capable of deploying applications in seconds, at high density, with thousands of applications, or containers, per machine. Today, it hosts more than a million applications, and powers major services such as Azure SQL Database, or Azure CosmosDB, SiliconAngle reported.

Thankfully, exploiting the flaw would require a little preparation; the attacker would first need to compromise a containerized workload, deployed by the owner of a Linux SF cluster. Then, the hostile code running inside the container needs to substitute an index file read by SF Diagnostics Collection Agent (DCA) with a symlink.

“Using an additional timing attack, an attacker could gain control of the machine hosting the SF node,” Microsoft explained. 

It would seem as if the flaw has not yet been exploited in the wild, but the researchers are urging users to patch it up immediately, given the severity of the flaw.

The patch has been available since May 26, 2022, and has been applied automatically to all who have automatic updates turned on.

Via SiliconAngle