A proof-of-concept exploit has been released describing a spoofing vulnerability in Microsoft Azure Service Fabric. The bug allows attackers to gain full administrator privileges and then perform any kind of malicious activity.
Orca security researcher Lidor Ben Shitrit found the bug and reported it to Microsoft, which released a partial fix for CVE-2022-35829 in its October Patch Tuesday. The vulnerability received a CVSS score of 6.4.
There are two versions of Service Fabric Explorer. All new development is focused on version 2 (SFXv2), so Microsoft does not fix vulnerabilities in the older version, SFXv1, unless it is a critical bug. This means that versions 8.1.316 and below are still vulnerable to exploitation.
According to Microsoft, a vulnerable version of Service Fabric Explorer has the URL ending in “old.html”.
On supported versions, SFXv2 is loaded by default and is not affected. To ensure you are running a version supported by SFXv2, check that the URL ends in “index.html”.
According to Shitrit, Microsoft had planned to completely remove the old, vulnerable version, but apparently this did not happen. “Orca isn’t sure why it hasn’t been removed yet or when [Microsoft] planning this,” he said The registry. “That depends on Microsoft’s schedule.”
We’ve asked the software giant about it, but haven’t received an answer yet.
Now that there is a POC for this exploit, we recommend checking your version and updating to a supported version as soon as possible – before bug-searching rogues find CVE-2022-35829 and use it, to wreak havoc on your cloud apps.
Azure Service Fabric is Microsoft’s platform for building, deploying, and managing distributed microservices-based cloud applications. It runs on Windows and Linux and in any cloud or on-premises environment.
The vulnerability found by Orca affects Service Fabric Explorer (SFX), a shared dashboard for managing cloud apps and nodes in an Azure Service Fabric cluster. Different users have different levels and access rights and permissions.
In their POC released today, Shitrit and Orca researcher Roee Sagi explained that the vulnerability, which they dubbed “FabriXss” (pronounced “fabrics”), allows an attacker to gain full administrator privileges on the Service Fabric cluster.
FabriXss could allow criminals to perform a cluster node reset, which will erase all custom settings, including passwords and security configurations. Then they could create new passwords and get full administrator rights.
“The size of the threat depends on the number of clusters set up within user organizations and whether these have non-admin users using the CreateComposeApplication role to create applications and the vulnerable SFXv1,” Shitrit said The registry.
Exploiting this flaw starts with executing expressions via Client Side Template Injection (CSTI), the Orca team explained.
Next, the attacker would need to break out of CSTI and dive into stored XSS:
Finally, the attacker can use the stored XSS to create a custom role with admin-level privileges, then reset one of the nodes and run the payload.
Service Fabric Explorer is shared and by default there are two permission levels: read only and administrator. As the Orca researchers explained, “However, there is an option to change the read-only client permissions to create a custom user who is not an administrator but can still perform certain tasks.”
They were able to abuse the stored XSS by creating a custom client user – a deployer user – and then creating a malicious app to send the payload.
“We found that a deployer-type user with a single permission to create new applications via the dashboard could use that single permission to create a malicious application name and abuse the admin permissions to perform various calls and actions,” they wrote the explorers. ®
https://www.theregister.com/2022/10/19/azure_service_fabric_vulnerability/ Microsoft Azure Service Fabric exploit released • The Register