Cloud cybersecurity startup Orca Security Ltd. today detailed the discovery of a previously unknown vulnerability in Microsoft Corp.’s Azure that allowed hackers to undertake remote code execution.

Dubbed “Super FabriXss,” the vulnerability was demonstrated at BlueHat IL 2023, showing how they could escalate a reflected cross-site scripting vulnerability in Azure Service Fabric Explorer. The demonstration showed how an unauthenticated Remote Code Execution could abuse the metrics tab and enable a specific option in the console, the ‘Cluster Type’ toggle.

Orca describes Super FabriXss as a dangerous cross-site scripting or XXS vulnerability that affects Azure Service Fabric Explorer. The vulnerability enables unauthenticated, remote attackers to execute code on a container hosted on a Service Fabric node.

The XSS vulnerability can be used to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication. The XSS vulnerability goes further, becoming a full RCE vulnerability after clicking on a crafted malicious URL and toggling the “Cluster” Event Type setting under the Events tab.

Exploiting the vulnerability requires two steps. The first involves using an embedded iframe that triggers a fetch request. The attacker’s code then takes advantage of the upgrade process to overwrite the existing deployment with a new, malicious one. The new deployment includes a CMD instruction in its Dockerfile to download a remote .bat file.

Once the .bat file is downloaded, it is executed and retrieves a second file that contains an encoded reverse shell. The reverse shell allows the attacker to gain remote access to the target system and potentially take control of the cluster node where the container is hosted.

Before going public, Orca Security reported the vulnerability to the Microsoft Security Response Center. Microsoft investigated the issue, assigned it CVE-2023-23383 and gave it a Common Vulnerability Scoring System score of 8.2, meaning “important” severity. Microsoft subsequently released a fix and included it in its recent March 2023 Patch Tuesday release.

Organizations using Service Fabric Explorer version 9.1.1583.9590 or earlier are vulnerable. The Orca researchers recommend that users, if they have not done so yet, update their Service Fabric Explorer install to avoid exposure.

Image: Microsoft