Microsoft Fixes ‘Hazardous’ RCE Vulnerability in Azure Cloud Service

March 30, 2023

Microsoft has recently patched a critical remote code execution (RCE) vulnerability in its Azure Service Fabric component. This flaw, if exploited, would have allowed an unauthenticated, malicious actor to execute code on a container hosted on the platform. Researchers from Orca Security discovered the cross-site scripting (XSS) flaw, which they named Super FabriXss, in December and reported it to Microsoft. The company fixed the issue in March's round of Patch Tuesday updates, and the researchers revealed the technical details of the bug in a blog post published on March 30.

Super FabriXss, tracked as CVE-2023-23383 with a CVSS rating of 8.2, is the second XSS flaw discovered by Orca researchers in Azure Service Fabric Explorer. The first XSS vulnerability, dubbed FabriXss, did not pose as severe a risk as its successor. FabriXss, also patched quickly by Microsoft in a Patch Tuesday update, would have allowed an attacker to gain full administrator permissions on the Service Fabric cluster.

With Super FabriXss, a remote unauthenticated attacker can execute code on a container hosted on one of the Service Fabric nodes, which 'means that an attacker could potentially gain control of critical systems and cause significant damage,' Lidor Ben Shitrit, cloud security researcher at Orca Security, wrote in the post. An attacker could craft a malicious URL that, when clicked, initiates a multi-step process eventually leading to the creation and deployment of a harmful container on one of the cluster nodes.

To exploit the vulnerability, a victim (an authenticated Service Fabric Explorer user) must first click on the malicious URL and then be guided to click on the Cluster Type under the Events tab. 'Once exploited, sensitive cluster data could be revealed to the attacker, potentially allowing them to expand the attack to a larger surface,' Shitrit explains. The vulnerability itself arises from a vulnerable 'Node Name' parameter, which can be exploited to embed an iframe in the user's context. This iframe then retrieves remote files from a server controlled by the attacker, eventually leading to the execution of a malicious PowerShell reverse shell. 'This attack chain can ultimately result in remote code execution on the container [that] is deployed to the cluster, potentially allowing an attacker to take control of critical systems,' he wrote.

Orca reported the vulnerability to the Microsoft Security Response Center (MSRC) on Dec. 20, and an investigation into the issue began later that month, on Dec. 31. Orca researchers and MSRC communicated several times regarding the impact of the flaw before Microsoft assigned CVE-2023-23383 to the vulnerability and issued a patch for it on March 14 that automatically fixed the issue for customers.

The flaw highlights the inherent danger of unpatched vulnerabilities in cloud-based architectures that an enterprise deploys. These vulnerabilities 'can pose higher risks compared to on-premises solutions,' Shitrit says. 'With cloud-based systems, organizations often depend on third-party providers, leading to a larger attack surface and less control over security measures,' he adds. 'Additionally, it's important to consider the multi-tenant nature of cloud environments and the significance of maintaining proper isolation between tenants.' To address risks posed by cloud-based flaws like Super FabriXss, Shitrit suggests that organizations maintain a regime of cloud security hygiene, including regularly applying patches, monitoring security, addressing vulnerabilities, training employees on best practices, applying network segmentation, enforcing least-privilege permissions, collaborating with providers, and creating a robust incident response plan.

Latest News

• Critical IBM File Transfer Bug Targeted by Cybercriminals: Patch Urgently Required
• Google TAG Exposes Exploit Chains Used to Install Commercial Spyware
• Crown Resorts Investigates Cl0p Ransomware Group's Data Theft Claims
• ChatGPT Data Breach Confirmed Amid Vulnerable Component Exploitation Warning
• Apple Addresses Actively Exploited WebKit Zero-Day for Older iPhones and iPads