Microsoft Azure

Attackers could exploit a now-patched spoofing vulnerability in Service Fabric Explorer to gain admin privileges and hijack Azure Service Fabric clusters.

Service Fabric is a platform for business-critical applications that hosts over 1 million apps and powers many Microsoft products, including but not limited to Microsoft Intune, Dynamics 365, Skype for Business, Cortana, Microsoft Power BI, and multiple core Azure services.

Service Fabric Explorer (SFX), an open-source tool that can be used as a hosted solution or as a desktop app, allows Azure admins to manage and inspect nodes and cloud applications in Azure Service Fabric clusters.

Orca Security found an SFX spoofing flaw (CVE-2022-35829) dubbed FabriXss that could enable potential attackers to gain full Administrator permissions and take over Service Fabric clusters.

"We found that a Deployer type user with a single permission to 'Create new Applications' via the dashboard, can use this single permission to create a malicious application name and abuse the Administrator permissions to perform various calls and actions," Orca Security explained.

"This includes performing a Cluster Node reset, which erases all customized settings such as passwords and security configurations, allowing an attacker to create new passwords and gain full Administrator permissions."

No in-the-wild exploitation

Orca Security reported the vulnerability to the Microsoft Security Response Center (MSRC) on August 11 and Microsoft issued security updates to address the flaw during this month's Patch Tuesday on October 11.

A proof of concept FabriXss exploit is available in Orca Security's blog post alongside additional technical details.

Microsoft says FabriXss exploits can only be used in attacks targeting older, unsupported versions of Service Fabric Explorer (SFXv1), with the current default SFX web client (SFXv2) not being vulnerable to attacks.

"However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web client version (SFXv1)," Microsoft says.

"The issue requires an attacker to already have code deployment and execution privileges in the Service Fabric cluster and for the target to use the vulnerable web client (SFXv1)."

While Redmond has found no evidence that FabriXss has been abused in attacks, it advises all Service Fabric customers to upgrade to the latest SFX version and not switch to the vulnerable SFXv1 web client version.

According to Microsoft, an upcoming Service Fabric release will also remove SFXv1 and the option to switch to it.

In June, Microsoft also fixed a Service Fabric container escape bug dubbed FabricScape that allowed threat actors to escalate privileges to root and gain control of the host node, compromising the entire SF Linux cluster.

Related Articles:

Train for Microsoft certifications with $350 off this course bundle

Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs

New SharePoint flaws help hackers evade detection when stealing files

Windows 10 KB5036892 update released with 23 new fixes, changes

Get up to speed on Microsoft Azure with an extra 20% off this bundle