Service Fabric Privilege Escalation from Containerized Workloads on Linux

Under Coordinated Vulnerability Disclosure (CVD), cloud-security vendor Palo Alto Networks informed Microsoft of an issue affecting Service Fabric (SF) Linux clusters (CVE-2022-30137). The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster.

Though the bug exists on both Operating System (OS) platforms, it is only exploitable on Linux; Windows has been thoroughly vetted and found not to be vulnerable to this attack. The fix for this privilege escalation issue was made available on 26 May 2022 and has been applied to all customers subscribed to automatic updates.

Customer Impact:

Customers without automatic updates enabled should upgrade their Linux clusters to the most recent SF release. Release notes can be found here. Customers whose Linux clusters are automatically updated do not need to take further action.

Additionally, if you are running SF Windows clusters, you are not impacted by this issue. However, we always recommend staying updated to the latest release.

Microsoft recommends that customers continue to review all containerized workloads (both Linux and Windows) which are permitted access to their host clusters. By default, a SF cluster is a single-tenant environment and thus there is no isolation between applications. Creating isolation is possible and additional guidance on hosting untrusted code can be found on the Azure Service Fabric security best practices page.

Microsoft’s Mitigation:

Once this issue was reported to Microsoft, we took the following steps to investigate and mitigate the issue:

  • 24 May 2022 – We fixed the privilege escalation bug in the SF runtime and started updating the customers with automated updates enabled; specifically, the SF Diagnostics Collection Agent (DCA) was changed to not consume user-generated files written into the container’s log folder.
  • 09 Jun 2022 – We updated our public security guidance including details regarding the implications of hosting untrusted code or having one’s containers compromised.
  • 14 Jun 2022CVE-2022-30137 was published for this issue and the fixes were deployed to customers leveraging automatic updates. Customers without automatic updates received portal notifications through Azure Service Health.

Technical Details:

For an attack to be successful on the vulnerability, these ordered steps are required:

  • Step 1: An attacker must compromise a containerized workload deployed by the owner of a Linux SF cluster.
  • Step 2: The hostile code running inside the container could substitute an index file read by DCA with a symlink.
    • Using an additional timing attack, an attacker could gain control of the machine hosting the SF node.

By design, root access on the machine hosting the SF node is not considered a security boundary in an SF cluster; the highest privileged role on a node is equally privileged anywhere in the same cluster.

Palo Alto Networks posted a blog about this issue available here. We appreciate the opportunity to investigate the findings reported by Palo Alto Networks and thank them for practicing safe security research under the terms of our bug bounty program. More information about the Microsoft Bug Bounty Program and the program’s Terms and Conditions can be found using these links.

Additional references: