Stay secure with Microsoft’s Azure Service Fabric XSS patch. Keep your applications protected from cross-site scripting vulnerabilities. Cloud cybersecurity startup Orca Security Ltd. today shared details of a previously unknown Microsoft Azure vulnerability that lets hackers take remote control of the platform. Dubbed Super FabriXss, it lets attackers escalate in reflected cross-site scripting by abusing the metrics tab and enabling a specific setting on the dashboard.
It was rated Critical by Orca and Fixed by Microsoft with its March Patch Tuesday updates. The update automatically fixes the flaw for all customers.
Orca Security Discovers a Dangerous XSS Flaw in Azure Service Fabric Explorer
A new flaw discovered by Orca Security has the potential to allow hackers to execute code remotely on a Service Fabric cluster node without authentication. The XSS vulnerability, which Microsoft has now patched and will disclose as part of its March 2023 Patch Tuesday fixes, can be exploited by attackers who access the Service Fabric Explorer web application from a untrusted site or IP address.
SF Explorer is an open-source, web-based management tool that helps users visualize and monitor their Service Fabric applications and their underlying Service Fabric clusters. Using SF Explorer, administrators can monitor metrics and logs, create and manage applications and services, upgrade and scale them, and view health reports.
Orca Security’s researchers found a reflected cross-site scripting (XSS) flaw in the SF Explorer dashboard. The XSS flaw, which Orca dubbed Super FabriXss after discovering the first one, allows an attacker to gain remote code execution by clicking on a malicious link and then toggling the ‘Cluster Type Toggle’ option in the Events tab.
In addition to enabling reflected XSS, the vulnerability also has the potential to expose sensitive data and lead to other attacks. The attack chain begins with the exploitation of a vulnerable iframe, which can be used to embed a malicious script that retrieves remote files from an attacker-controlled server. This ultimately leads to the execution of a PowerShell reverse shell.
Once the hacker gains remote control of the SFX dashboard, he or she can use the ‘Cluster Type Toggle’ button to overwrite an existing Compose deployment with a malicious one. The new deployment then takes advantage of a CMD instruction in the Dockerfile that will download and run a.bat file. This file will retrieve an additional file that contains an encoded reverse shell, allowing the hacker to take control of the cluster node on which the container is hosted.
In addition to the potential for remote code execution, the flaw can lead to a loss of control over the affected machine as well as the system that runs the container. Orca Security points out that this kind of vulnerability highlights the importance of ensuring that websites treat all input as suspicious, using encoding and sanitization techniques, HttpOnly flags for cookies, and content security policies.
Microsoft Patches the Vulnerability
Microsoft patched two zero-day vulnerabilities in its latest Patch Tuesday release. The company fixed a total of 38 CVEs in its May 2023 update, with six rated as critical and 32 rated as important. There was a heavy focus on remote code execution and elevation of privilege issues.
The two zero-day flaws included fixes for the Azure Service Fabric Explorer XSS vulnerability. The flaw, called Super FabriXss and dubbed CVE-2023-23383 with a CVSS score of 8.2, allows unauthenticated attackers to execute arbitrary code on a Service Fabric cluster node. Orca Security discovered the flaw and disclosed it to Microsoft in March 2023. The company assigned the issue the same name and included it in its monthly Patch Tuesday update.
In addition to the SFX XSS vulnerability, this month’s update addressed three other sever vulnerabilities in Windows and its components, Microsoft Edge (Chromium, iOS, and Android), Exchange, Azure, Office and Office Components, and SharePoint Server. This month’s Patch Tuesday release had a heavy slant toward remote code execution issues, with 31.6% of the issues ranked as critical, and elevation of privilege problems accounting for 21.1% of the vulnerabilities.
One of the CVEs pushed out by Microsoft this month was a critical remote code execution vulnerability in Bing, which could allow hackers to access emails and other documents stored on a victim’s machine. The other zero-day fix included in this month’s Patch Tuesday was CVE-2023-28252, an elevation of privilege vulnerability in the Windows Common Log File System Driver. Microsoft warned that the vulnerability is already being exploited in the wild, but didn’t reveal further details or release IOCs.
Despite the slant toward critical issues, it appears as though Microsoft has finally started to reign in its monthly patch release rate. This month’s release had fewer than 100 CVEs, which is significantly down from the months of 2021 in which the company churned out over 100 patches each month. With the influx of zero-day flaws, however, it’s clear that organizations must continue to keep their systems updated as soon as possible to prevent attackers from exploiting these holes.
Orca Security Demonstrates the Vulnerability at BlueHat IL 2023
In a demonstration at the recent BlueHat 2023 cybersecurity conference, Orca Security showed how a new vulnerability in Microsoft Azure can be exploited to gain full administrator access to a Service Fabric cluster. The flaw, which the company calls Super FabriXss, uses a mirrored cross-site scripting attack to exploit a toggle within the Event Tab of the Service Fabric dashboard.
Orca’s research team first discovered the problem at a Pwn2Own hacking event in December 2022 and provided proof-of-concept code to both Microsoft and TP-Link, which issued a patch in February. The attacker’s attack begins with a malicious URL that includes an embedded iframe and a fetch request to trigger the upgrade of an existing Compose deployment. The upgrade process overwrites the existing deployment with a new one that contains an executable CMD instruction in its Dockerfile and a remote.bat file.
Once the attack is launched, a malicious user can use the exposed CommandInjection vulnerability to inject commands into the victim’s device and then gain control of the machine by entering a series of commands at the command prompt. This can be used to wreak havoc by hijacking the device, stealing sensitive data or executing unauthorized code on it.
The TP-Link Archer A21 router’s CommandInjection flaw stems from the lack of input sanitization in the firmware. As a result, hackers can inject commands into the device and execute them, gaining complete system control from anywhere in the world.
While it may seem surprising that a router could be hacked in such a way, such attacks are actually quite common, and many devices are vulnerable to similar exploits. For example, a command-injection flaw exists in a popular home network router by TP-Link called the AX1800.
Orca’s agentless cloud security platform connects to an environment in minutes, automatically detecting all assets across AWS, Azure and Kubernetes. It detects a variety of cloud risks, including misconfigurations, API vulnerabilities and weaknesses, lateral movement risk, weak and leaked passwords, sensitive data at risk and more.
Security Center identifies and mitigates threats to cloud infrastructure by using network-layer analytics based on sample IPFIX data, which is gathered from core routers. It can help reduce the likelihood of a Man-in-the-Middle attack by routing traffic over the Microsoft backbone rather than through untrusted networks. It also encrypts traffic that traverses over untrusted networks to prevent information from being intercepted by attackers. These controls can protect against most of this technique’s sub-techniques resulting in an overall score of Partial.
Microsoft Issues a Patch
Microsoft has issued a patch for a dangerous flaw that was discovered in the Azure Service Fabric inspection tool. The flaw, which researchers at Orca Security dubbed Super FabriXss, could allow unauthenticated remote attackers to execute code on a container hosted on an Azure Service Fabric node without any authentication requirements. Microsoft quickly patched the issue in March’s round of Patch Tuesday updates.
Azure Service Fabric is a cloud-native platform for deploying stateful microservices, containers, and applications. It can scale to thousands of machines in a cluster, providing a data-aware platform that supports low-latency and high-throughput workloads. It’s also designed to handle both stateless and stateful services, making it ideal for mission-critical environments.
The platform is based on microservices, which are modular pieces of software that run in their own independent containers. These microservices communicate with one another using service application-programming interfaces. The Service Fabric environment makes it easy to build, package, and deploy apps — and it provides robust lifecycle management capabilities for complex, stateful microservices.
VaiSulWeb offers Azure Service Fabric Managed Hosting as part of our Enterprise Cloud Solutions. This managed solution allows our customers to delegate the responsibility of managing their Service Fabric clusters to our technicians while focusing on developing and deploying their applications. We can also help them take advantage of the features and benefits that the platform has to offer for their business.
Aside from the fact that Azure Service Fabric is infrastructure-independent, it can be deployed on any cloud or datacenter, and it’s compatible with Windows or Linux operating systems. It’s also highly portable, allowing it to be used with any CI/CD deployment model and spanning multiple geographic regions.
In addition, the platform uses a transport subsystem to secure communication between VMs and different Azure Service Fabric clusters. This system helps to ensure the security of cluster nodes by requiring a VM to request permission to join a cluster before it can do so. It also enforces a node-to-node security policy, and it utilizes X.509 certificates and Windows security to support authentication. This is a good thing because it helps to ensure that only authorized VMs can access the cluster and its data.
