"Azure Service Fabric Vulnerability Can Lead to Cluster Takeover"

Microsoft has recently patched a vulnerability that could allow an attacker with access to an Azure Linux container to escalate privileges and take over the entire cluster.  The vulnerability is tracked as CVE-2022-30137 and impacts Service Fabric, Microsoft’s container orchestrator that provides management of services across container clusters.  Microsoft says Service Fabric hosts over one million applications.  According to security researchers at Palo Alto Networks, the security issue is exploitable only on containers with access to the Service Fabric runtime, which implies access to the log directory.  The researchers noted that Service Fabric clusters consider hosted applications to be trusted, thus allowing them to access the Service Fabric runtime data by default, which means that applications can access information about their environment and write logs to specific locations.  The security hole impacts Data Collection Agent (DCA), a Service Fabric component that “handles files that could be modified by containers,” thus allowing for container escape and root access to the node.  DCA uses the LoadFromFile and SaveToFile functions to read from and write to files.  The researchers stated that this functionality results in a symlink race.  An attacker in a compromised container could place malicious content in the file that LoadFromFile reads.  The researchers noted that while it continues to parse the file, the attacker could overwrite the file with a symlink to a desirable path so that later SaveToFile will follow the symlink and write the malicious content to that path.  According to Microsoft, an attacker able to execute code inside a container that has access to the Service Fabric runtime would also need read/write access to the cluster to successfully exploit the vulnerability.   The vulnerability exists in both Linux and Windows clusters but can only be exploited on Linux.  On May 26, Microsoft released a fix for the bug in Service Fabric runtime and delivered it to all Azure customers with automatic updates enabled.

SecurityWeek reports: "Azure Service Fabric Vulnerability Can Lead to Cluster Takeover"