FabricScape: Microsoft warns of vuln in Service Fabric

Not trying to spin this as a Linux security hole, surely?

Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

"Though the bug exists on both operating system platforms," Microsoft said, referring to Linux and Windows containers running on Service Fabric, "it is only exploitable on Linux; Windows has been thoroughly vetted and found not to be vulnerable to this attack."

It's unusual to see the words "Windows" and "thoroughly vetted" in the context of security. This time, however, the problem is to do with Microsoft's Service Fabric when running Linux containers. To be clear, it's Microsoft's Linux container management code that is buggy here rather than Linux itself.

The flaw was discovered, reported, and disclosed responsibly by Palo Alto networks, and the issue – dubbed FabricScape – has been patched (customers using auto-update should have already received the fix). Microsoft has also rolled out the mitigation to products powered by the tech.

Microsoft's Service Fabric is commonly used with Azure and is said to host more than one million applications. It lurks beneath the likes of Azure SQL Database and CosmosDB as well as Redmond buzzphrase of the day, Power BI. As such, discovering a hole can be poked in it is somewhat discomfiting.

As with so many vulnerabilities, the issue is magnified by defaults. Runtime access for the container is required by the exploit which, alas, is granted by default. Microsoft helpfully documented the steps required for a successful attack: first compromise a containerized workload deployed by the owner of a Linux Service Fabric cluster. Then substitute an index file read by the Service Fabric Diagnostics Collection Agent (DCA) with a symlink. Use an additional timing attack and control of the machine hosting the Service Fabric node is all yours.

"By design," said Microsoft, "root access on the machine hosting the SF note is not considered a security boundary in an SF cluster; the highest privileged role on a node is equally privileged anywhere in the same cluster."

The patch, according to Microsoft, is "to further strengthen the security in the Linux cluster by adapting the principle of path to least privilege." ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022