FabricScape – Impacts Azure Linux Workloads

Researchers have disclosed details of a new security flaw affecting Microsoft’s Service Fabric that could be exploited to obtain elevated permissions and take over the control of all nodes in a cluster,

The issue dubbed FabricScape tracked as CVE-2022-30137, which could be exploited on containers that are configured to have runtime access.

Azure Service Fabric is Microsoft’s PaaS and a container orchestrator solution used to build and deploy microservices-based cloud applications across a cluster of machines.

A Service Fabric cluster is a network-connected set of several nodes each of which is designed to manage and execute applications that consist of microservices or containers. Every node runs multiple components, allowing multiple nodes to work in synergy and form a reliable and distributed cluster

This vulnerability could enable threat actors, with access to a compromised container can be able to escalate privileges and gain control of the resource’s host SF node and the entire cluster. Though the bug exists on both OS platforms, it is only exploitable on Linux; Windows has been thoroughly assessed and found not to be vulnerable to this attack.

The vulnerability resides in a component called Diagnostics Collection Agent that’s responsible for gathering diagnostic information and relates to what’s called a symlink race.

In certain cases, an attacker with access to a compromised containerized workload could substitute a file read by the agent (“ProcessContainerLog.txt”) with a rogue symbolic link that could then be leveraged to overwrite any arbitrary file considering DCA runs as root on the node.

Code execution is subsequently achieved by taking advantage of the flaw to override the “/etc/environment” file on the host, followed by exploiting an internal hourly cron job that runs as root to import malicious environment variables and load a rogue shared object on the compromised container that grants the attacker a reverse shell in the context of root.

A Service Fabric cluster is single-tenant by design, and hosted applications are considered trusted. To exploit FabricScape, the compromised container must have runtime access because that is necessary for the logs directory to be accessible.

If developers consider their applications as untrusted or if the cluster is multitenant, this access can be disabled for each application on the cluster separately by modifying each application manifest and setting RemoveServiceFabricRuntimeAccess to true.

Even though there is no evidence that the vulnerability has been exploited in real-world attacks to date, it’s crucial that organizations take immediate action to determine if their environments are susceptible and implement the patches.

It is advised that customers running Azure Service Fabric without automatic updates enabled should upgrade their Linux clusters to the most recent Service Fabric release. Customers whose Linux clusters are automatically updated do not need to take further action. Other Azure-managed Service Fabric clusters are safe as Microsoft has updated its software.

Researchers from Palo Alto Unit 42 disclosed the vulnerability, including the exploit, to Microsoft on Jan. 30, 2022. Microsoft released a fix for the issue on June 14, 2022.