A newly discovered vulnerability in Microsoft Azure Functions can allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host.

Azure Functions, Microsoft Corp.’s equivalent to Amazon Web Services Inc.’s Lambda service, is a serverless computing service launched in 2016. It allows users to establish automated action triggers in response to particular events without requiring the creation of the complex logical scaffolding needed to support such functions from scratch.

Detailed Jan. 27 cybersecurity researcher Paul Litvak at Intezer Labs Ltd., the vulnerability can be triggered by HTTP requests, which are meant to run for only a few minutes in order to handle the event. That by itself would not normally be an issue, but in a demonstration, Litvak mimicked an attacker executing Azure Functions and escalate privileges to escape to the Docker host.

Escaping Docker in this case gave Litvak root access. “Escalating to root within a container is a remarkable achievement, yet escalating privileges within containers is not the final destination for an attacker,” Latvik explained. “Compromising the Docker host would give them much more control, allowing them to break away from the container which might be monitored and moving to the Docker host which is often neglected in terms of security.”

Before going public with the details, Litvak took the vulnerability to Microsoft for assessment. Microsoft determined that the vulnerability has no security impact on Functions users because the Docker host itself is protected by a Hyper-V boundary. That said, Microsoft has made changes to block the /etc and /sys directories to provide additional protection.

“No matter how hard you work to secure your own code, sometimes vulnerabilities are out of your control,” Latvik noted. “It’s critical that you have protection measures in place to detect and terminate when the attacker executes unauthorized code in your production environment.”

Jigar Shah, vice president of network security service Valtix Inc., told SiliconANGLE that as enterprises adopt new approaches such as serverless and microservices architecture, simply relying on the underlying security of these services or those from the cloud provider is asking for trouble.

“The old mantra of reducing the attack surface and defense in depth is still crucial: Sse attribute-based access control and apply URL filtering for all outbound flows,” Shah said. “Network Security 101 does not disappear because we moved to public clouds.”

Image: Microsoft