UPDATED 13:00 EDT / MARCH 30 2023

SECURITY

Now-patched Azure vulnerability opened the door to remote code execution

Cloud cybersecurity startup Orca Security Ltd. today detailed the discovery of a previously unknown vulnerability in Microsoft Corp.’s Azure that allowed hackers to undertake remote code execution.

Dubbed “Super FabriXss,” the vulnerability was demonstrated at BlueHat IL 2023, showing how they could escalate a reflected cross-site scripting vulnerability in Azure Service Fabric Explorer. The demonstration showed how an unauthenticated Remote Code Execution could abuse the metrics tab and enable a specific option in the console, the ‘Cluster Type’ toggle.

Orca describes Super FabriXss as a dangerous cross-site scripting or XXS vulnerability that affects Azure Service Fabric Explorer. The vulnerability enables unauthenticated, remote attackers to execute code on a container hosted on a Service Fabric node.

The XSS vulnerability can be used to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication. The XSS vulnerability goes further, becoming a full RCE vulnerability after clicking on a crafted malicious URL and toggling the “Cluster” Event Type setting under the Events tab.

Exploiting the vulnerability requires two steps. The first involves using an embedded iframe that triggers a fetch request. The attacker’s code then takes advantage of the upgrade process to overwrite the existing deployment with a new, malicious one. The new deployment includes a CMD instruction in its Dockerfile to download a remote .bat file.

Once the .bat file is downloaded, it is executed and retrieves a second file that contains an encoded reverse shell. The reverse shell allows the attacker to gain remote access to the target system and potentially take control of the cluster node where the container is hosted.

Before going public, Orca Security reported the vulnerability to the Microsoft Security Response Center. Microsoft investigated the issue, assigned it CVE-2023-23383 and gave it a Common Vulnerability Scoring System score of 8.2, meaning “important” severity. Microsoft subsequently released a fix and included it in its recent March 2023 Patch Tuesday release.

Organizations using Service Fabric Explorer version 9.1.1583.9590 or earlier are vulnerable. The Orca researchers recommend that users, if they have not done so yet, update their Service Fabric Explorer install to avoid exposure.

Image: Microsoft

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.