UPDATED 21:43 EDT / JANUARY 31 2021

SECURITY

Vulnerability in Azure Functions allows an attacker to escape to the Docker host

A newly discovered vulnerability in Microsoft Azure Functions can allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host.

Azure Functions, Microsoft Corp.’s equivalent to Amazon Web Services Inc.’s Lambda service, is a serverless computing service launched in 2016. It allows users to establish automated action triggers in response to particular events without requiring the creation of the complex logical scaffolding needed to support such functions from scratch.

Detailed Jan. 27 cybersecurity researcher Paul Litvak at Intezer Labs Ltd., the vulnerability can be triggered by HTTP requests, which are meant to run for only a few minutes in order to handle the event. That by itself would not normally be an issue, but in a demonstration, Litvak mimicked an attacker executing Azure Functions and escalate privileges to escape to the Docker host.

Escaping Docker in this case gave Litvak root access. “Escalating to root within a container is a remarkable achievement, yet escalating privileges within containers is not the final destination for an attacker,” Latvik explained. “Compromising the Docker host would give them much more control, allowing them to break away from the container which might be monitored and moving to the Docker host which is often neglected in terms of security.”

Before going public with the details, Litvak took the vulnerability to Microsoft for assessment. Microsoft determined that the vulnerability has no security impact on Functions users because the Docker host itself is protected by a Hyper-V boundary. That said, Microsoft has made changes to block the /etc and /sys directories to provide additional protection.

“No matter how hard you work to secure your own code, sometimes vulnerabilities are out of your control,” Latvik noted. “It’s critical that you have protection measures in place to detect and terminate when the attacker executes unauthorized code in your production environment.”

Jigar Shah, vice president of network security service Valtix Inc., told SiliconANGLE that as enterprises adopt new approaches such as serverless and microservices architecture, simply relying on the underlying security of these services or those from the cloud provider is asking for trouble.

“The old mantra of reducing the attack surface and defense in depth is still crucial: Sse attribute-based access control and apply URL filtering for all outbound flows,” Shah said. “Network Security 101 does not disappear because we moved to public clouds.”

Image: Microsoft

A message from John Furrier, co-founder of SiliconANGLE:

Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.

  • 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
  • 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.