Microsoft has patched a vulnerability that could allow an attacker with access to an Azure Linux container to escalate privileges and take over the entire cluster.
Tracked as CVE-2022-30137, the vulnerability impacts Service Fabric, Microsoft’s container orchestrator that provides management of services across container clusters. Microsoft says Service Fabric hosts over one million applications.
The security issue is exploitable only on containers with access to the Service Fabric runtime, which implies access to the log directory, according to Palo Alto Networks security researchers, who identified and reported the issue.
Service Fabric clusters consider hosted applications to be trusted, thus allowing them to access the Service Fabric runtime data by default, which means that applications can access information about their environment and write logs to specific locations, the researchers note.
The security hole impacts Data Collection Agent (DCA), a Service Fabric component that “handles files that could be modified by containers”, thus allowing for container escape and root access to the node. DCA uses the LoadFromFile and SaveToFile functions to read from and write to files, respectively.
“This functionality results in a symlink race. An attacker in a compromised container could place malicious content in the file that LoadFromFile reads. While it continues to parse the file, the attacker could overwrite the file with a symlink to a desirable path so that later SaveToFile will follow the symlink and write the malicious content to that path,” Palo Alto Networks explains.
According to Microsoft, an attacker able to execute code inside a container that has access to the Service Fabric runtime would also need read/write access to the cluster to successfully exploit the vulnerability. The vulnerability exists in both Linux and Windows clusters, but can only be exploited on Linux.
On May 26, Microsoft released a fix for the bug in Service Fabric runtime and delivered it to all Azure customers with automatic updates enabled. On June 14, Microsoft published an advisory on the vulnerability and announced the patches for customers with automatic updates. All Azure customers are advised to apply the available security updates as soon as possible.
“Azure Service Fabric team is releasing a patch to further strengthen the security in the Linux cluster by adapting the principle of path to least privilege,” Microsoft said in its advisory.