Researchers have provided information regarding a new security flaw affecting Microsoft's Azure Service Fabric, dubbed FabricScape. The bug could be exploited to obtain elevated permissions and control all nodes in a cluster.
Why FabricScape matters?
Tracked as CVE-2022-30137, FabricScape works only on containers configured to have runtime access.
Exploiting the vulnerability, an attacker can access a compromised container and perform privilege escalation in a way to gain control of the resource's host SF node and entire cluster.
Though the bug impacts Windows as well as Linux platforms, it is only exploitable on Linux systems. Windows has been vetted and found not to be exposed to this attack.
The FabricScape vulnerability resides in a component named Diagnostics Collection Agent (DCA) that gathers container log information and relates to symlink race.
In a PoC exploit, it was demonstrated that an attacker with access to a containerized workload could swap a file read by the agent with a rogue symbolic link to overwrite an arbitrary file, as DCA runs as root.
For code execution, researchers used the dynamic linker hijacking technique, where they abused the LD_PRELOAD environment variable.
There is no evidence that FabricScape has been exploited in real-world attacks. However, organizations are suggested to take immediate action to find out if their environments have applied the patches. Further, review containerized workloads in both Windows and Linux environments.