Researchers on Tuesday reported that Microsoft has issued a patch for FabricScape (CVE-2022-30137), a vulnerability that lets Linux containers escalate their privileges to gain root privileges on a node and then compromise all the nodes in a cluster.
In a blog post, Palo Alto’s Unit 42 said it worked closely with Microsoft on the issue for several months and Microsoft released a patch earlier this month on June 14. The researchers said Microsoft has already mitigated the issue in Linux clusters, and also updated internal production environments of offerings and products that are powered by Microsoft Service Fabric.
The researchers said the vulnerability was “of important severity” in Microsoft’s Service Fabric, commonly used with Azure and which hosts more than 1 million applications and runs millions of cores daily. It powers many Azure offerings, including, Azure Service Fabric, Azure SQL Database, and Azure CosmosDB, as well as Cortana and Microsoft Power BI.
Unit 42 advises customers running Azure Service Fabric without automatic updates enabled to upgrade their Linux clusters to the most recent Service Fabric release. Customers with Linux clusters that automatically update don’t need to take any further action.
In targeting cloud-based applications using Microsoft Service Fabric, threat actors are once again finding opportunities at scale based on some percent of system operators not being on top of applying security updates and patches, said Bud Broomhead, CEO at Viakoo. Broomhead said similar to vulnerabilities targeting open source software components or IoT devices, hackers will succeed in cases where patching does not get done automatically.
“While there may be good reasons for an organization to not have security fixes implemented automatically, as Microsoft recommends, those same organizations must be prepared to react quickly and manually to high-severity threats like this,” Broomhead said. “Not being staffed or prepared to handle this task puts the application owner in a position where it can damage their reputation or even invalidate their cyber insurance for not maintaining security properly.
Jonathan Knudsen, senior security strategist at Synopsys Software Integrity Group, said the disclosure of this CVE should remind security pros of two important software security principles.
First, don’t trust defaults. Knudsen said people often assume that software security has been addressed by upstream providers. In this case, Knudsen said the default granting of runtime access for every container is a choice that users might choose differently if they took a deliberate, informed approach to security decisions.
Second, all software has bugs. Even software infrastructure like cloud services can have vulnerabilities. Organizations need to be cognizant of their entire supply chain of software so that they can respond to vulnerabilities like this calmly, efficiently, and expeditiously.
“The development, deployment, and maintenance of software demands careful stewardship of a lengthy, complex supply chain,” Knudsen said. “A holistic approach to software security is the best way to address this supply chain in a way that uses available resources efficiently to reduce risk.”