Vulnerability in Azure Functions allows an attacker to escape to the Docker host
A newly discovered vulnerability in Microsoft Azure Functions can allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host.
Azure Functions, Microsoft Corp.’s equivalent to Amazon Web Services Inc.’s Lambda service, is a serverless computing service launched in 2016. It allows users to establish automated action triggers in response to particular events without requiring the creation of the complex logical scaffolding needed to support such functions from scratch.
Detailed Jan. 27 cybersecurity researcher Paul Litvak at Intezer Labs Ltd., the vulnerability can be triggered by HTTP requests, which are meant to run for only a few minutes in order to handle the event. That by itself would not normally be an issue, but in a demonstration, Litvak mimicked an attacker executing Azure Functions and escalate privileges to escape to the Docker host.
Escaping Docker in this case gave Litvak root access. “Escalating to root within a container is a remarkable achievement, yet escalating privileges within containers is not the final destination for an attacker,” Latvik explained. “Compromising the Docker host would give them much more control, allowing them to break away from the container which might be monitored and moving to the Docker host which is often neglected in terms of security.”
Before going public with the details, Litvak took the vulnerability to Microsoft for assessment. Microsoft determined that the vulnerability has no security impact on Functions users because the Docker host itself is protected by a Hyper-V boundary. That said, Microsoft has made changes to block the /etc and /sys directories to provide additional protection.
“No matter how hard you work to secure your own code, sometimes vulnerabilities are out of your control,” Latvik noted. “It’s critical that you have protection measures in place to detect and terminate when the attacker executes unauthorized code in your production environment.”
Jigar Shah, vice president of network security service Valtix Inc., told SiliconANGLE that as enterprises adopt new approaches such as serverless and microservices architecture, simply relying on the underlying security of these services or those from the cloud provider is asking for trouble.
“The old mantra of reducing the attack surface and defense in depth is still crucial: Sse attribute-based access control and apply URL filtering for all outbound flows,” Shah said. “Network Security 101 does not disappear because we moved to public clouds.”
Image: Microsoft
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU