Azure vulnerability opens door to remote takeover attacks

A vulnerability in Microsoft Azure software could leave some systems vulnerable to remote takeover attacks.

Researchers at security vendor Orca Security uncovered CVE-2022-35829, also known as FabriXss. The vulnerability, which has been patched by Microsoft and classified as "important" severity, was found within Azure Service Fabric Explorer, a component of the Azure Service Fabric microservices platform found in both server and client software.

While it is not technically a cloud vulnerability, CVE-2022-35829 affects Azure customers running Service Fabric Explorer version 8.1.316 or older. Orca said exploitation of the Azure vulnerability gives threat actors full administrator permissions on a Service Fabric cluster.

The Orca researchers discovered that an account with deployment permissions will be able to send server nodes malicious scripts that can perform several nefarious tasks. Specifically, the team found that when a new application object was created via the Dashboard, user input is executed without security checks.

"We found that a Deployer-type user with a single permission to 'create new applications' via the dashboard can use this single permission to create a malicious application name and abuse the administrator permissions to perform various calls and actions," explained Orca researchers Lidor Ben Shitrit and Roee Sagi in a blog post Wednesday.

This, in turn, opens the door for client-side code injection. The attacker could, for example, seed the application with scripts to give administrator access over the host node, create new accounts or even wipe accounts.

The result is a client-side template injection that would let threat actors perform cross-site scripting attacks to raise their privileges or take down nodes and the services they host. In some cases, the attacker would even be able to create new accounts for themselves with unique privileges.

"By default, there are two permission levels in service fabric -- Read Only and Admin," wrote Shitrit and Sagi. "However, there is an option to modify the read-only client permissions to create a custom user, which is not an administrator but still able to perform specific tasks."

In proof-of-concept demonstrations, the Orca team was able to not only elevate low-privilege accounts to administrator levels and create new accounts with high privileges, but also delete existing passwords and configurations by performing a cluster node reset.

Orca said it does not have a figure as to exactly how many Azure installations or users might be exposed to FabriXss. Fortunately, there are some mitigating factors in place. The Orca researchers told TechTarget Editorial that two major conditions need to be present for the vulnerability to be exploited:

First, the SFXv1 UI Dashboard must be in use. This older UI option is not enabled by default for Service Fabric. Additionally, the threat actor's account must have the "CreateComposeApplication" variable enabled; this is the elevated privilege that allows for the creation of the malicious script.

Microsoft, meanwhile, addressed the vulnerability in this month's edition of the Patch Tuesday security rollout. Administrators can get the fixes by making sure Service Fabric Explorer 8.1.316 or later is installed.