Coordinated disclosure of vulnerability in Azure Container Instances Service

Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI) that could potentially allow a user to access other customers’ information in the ACI service. Our investigation surfaced no unauthorized access to customer data. Out of an abundance of caution we notified customers with containers running on the same clusters as the researchers via Service Health Notifications in the Azure Portal. If you did not receive a notification, no action is required with respect to this vulnerability.

Part of any robust security posture is working with researchers to help find vulnerabilities, so we can fix any findings before they are misused. We want to thank Palo Alto Networks who reported this vulnerability and worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe.

Which Azure Container Instances accounts were potentially affected? 

There is no indication any customer data was accessed due to this vulnerability. Out of an abundance of caution, notifications were sent to customers potentially affected by the researcher activities, advising they revoke any privileged credential that were deployed to the platform before August 31, 2021.

If you did not receive a Service Health Notification, no action is required. The vulnerability is fixed and our investigation surfaced no unauthorized access in other clusters. If you are unsure whether your subscription or organization has received a notification, please contact Azure Support. If you have any concerns, rotating privileged credentials is a good periodic security practice and would be an effective precautionary measure.

How to secure ACI

There is no indication any customer data was accessed due to this issue, and we encourage customers to use the following best security practices:

  • As a precautionary measure, if you were notified, we recommend revoking any privileged credentials that were deployed to the platform before August 31st, 2021. Common places to specify configuration and secrets for container groups include:
    • Environment Variables
    • Secret Volumes
    • Azure file share
  • Consult these security best practices resources 
  • As part of standard security practices, you should revoke privileged credentials on a frequent basis.
  • Stay up to date on important security-related notifications like this one by configuring Azure Service Health Alerts.  

Please reach out to Azure Support if you have any questions.