Tear in Microsoft Azure Service Fabric can give attackers full admin privileges
Orca Security disclosed the bug, and older versions remain vulnerable
A proof-of-concept exploit has been published detailing a spoofing vulnerability in Microsoft Azure Service Fabric. The flaw allows attackers to gain full administrator permissions and then perform any manner of malicious activity.
Orca Security researcher Lidor Ben Shitrit found the bug and reported it to Microsoft, which released a partial fix for CVE-2022-35829 in its October Patch Tuesday. The vulnerability received a 6.4 CVSS score.
There are two versions of Service Fabric Explorer. All new development focuses on version 2 (SFXv2), so Microsoft doesn't fix any holes in the older version, SFXv1, unless it's a critical bug. That means releases 8.1.316 and below remain vulnerable to exploitation.
According to Microsoft, a vulnerable version of Service Fabric Explorer has the URL that ends in "old.html."
On supported versions, the SFXv2 loads by default and is not affected. To ensure that you're running an SFXv2 supported version, check that the URL ends in "index.html."
According to Shitrit, Microsoft had planned to remove the old, vulnerable version completely, but this apparently didn't happen. "Orca is unsure why it has not yet been removed or when [Microsoft] plans to do so," he told The Register. "It depends on Microsoft's timeline."
We've asked the software behemoth about this, but have yet to hear back.
Now that there's a POC for this exploit, we'd recommend checking your version ASAP and upgrading to a supported version if needed – before miscreants scanning for bugs find CVE-2022-35829 and use it to wreak havoc on your cloud apps.
Azure Service Fabric is Microsoft's platform for building, deploying, and managing distributed microservices-based cloud applications. It runs on Windows and Linux, and across any cloud or in on-premises environments.
The vulnerability that Orca found affects Service Fabric Explorer (SFX), which is a shared dashboard for managing cloud apps and nodes in an Azure Service Fabric cluster. Different users have various levels and access and permission.
In their POC published today, Shitrit and fellow Orca researcher Roee Sagi explained that the vulnerability, which they dubbed "FabriXss" (pronounced "fabrics"), allows an attacker to gain full administrator permissions on the Service Fabric cluster.
- It's Patch Tuesday and still no fix for ProxyNotShell Microsoft Exchange holes
- Azure issues not adequately fixed for months, complain bug hunters
- Azure flaw allowed users to control others' accounts
- Orca Security tells AWS fail tale with a happy ending
FabriXss could allow miscreants to perform a cluster node reset, thus erasing all customized settings including passwords and security configurations. Then they could create new passwords and gain full admin permissions.
"The size of the threat depends on the number of clusters set up within user organizations and if those have non-admin users that use the CreateComposeApplication role to create applications and the vulnerable SFXv1," Shitrit told The Register.
Exploiting this bug starts with executing expressions via Client Side Template Injection (CSTI), the Orca team explained.
Next, the attacker would need to break out of CSTI and into stored XSS:
In order to break out of CSTI to XSS, we will need to see exactly how the application name is created and formatted. Focusing on our current Valid application (nginx), we can see that the "fabric:/" was appended to it like it should be.
Finally, the attacker can use the stored XSS to create a custom role with admin-level privileges, then reset one of the nodes and execute the payload.
Service Fabric Explorer is shared, and by default there are two permissions levels: read only and admin. However, as the Orca researchers explained, "there is an option to modify the read only client permissions to create a custom user which is not an administrator but still able to perform specific tasks."
They were able to abuse the stored XSS by creating a custom client user – a deployer user – and then creating a malicious app to send the payload.
"We found that a Deployer type user with a single permission to 'Create new Applications' via the dashboard, can use this single permission to create a malicious application name and abuse the administrator permissions to perform various calls and actions," the researchers wrote. ®