Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution

A high-severity vulnerability in Microsoft’s Azure Service Fabric Explorer could have allowed a remote, unauthenticated attacker to execute arbitrary code, cloud security firm Orca says.

Tracked as CVE-2023-23383 (CVSS score of 8.2), the bug is described as a cross-site scripting (XSS) issue that could lead to the execution of code on containers hosted on a Service Fabric node.

Referred to as ‘Super FabriXss’, the flaw resided in a ‘Node Name’ parameter, which allowed an attacker to embed an iframe to retrieve files from a remote server controlled by the attacker.

By exploiting the security defect, an attacker could execute a malicious PowerShell reverse shell, allowing them to run code on the container deployed to the cluster, potentially leading to system takeover. Both Linux and Windows clusters were found vulnerable to the attack.

After creating a new Azure Service Fabric, the researchers observed that modifying a Node name in the user interface is reflected in the Node’s independent dashboard.

The researchers then crafted a URL and enabled the Cluster Event Type under the Events tab, which allowed them to trigger a JavaScript payload, eventually achieving remote code execution (RCE).

Orca Security’s proof-of-concept (PoC) uses a URL with an embedded iframe that triggers an upgrade of an Internet Information Services (IIS) application that includes an instruction to download a .bat file containing an encoded reverse shell.

The attacker can then abuse the reverse shell to gain remote access to the application and use it to launch further attacks, access sensitive information, or potentially take over the cluster node hosting the container.

An attacker could create a custom URL that, when accessed by an authenticated user with appropriate permissions, could instruct the user to enable the Cluster Event Type, triggering the code execution chain.

“It’s worth noting that this attack takes advantage of the Cluster Type Toggle options under the Events Tab in the Service Fabric platform that allows an attacker to overwrite an existing Compose deployment by triggering an upgrade with a specially crafted URL from XSS vulnerability,” Orca explains.

Microsoft addressed the vulnerability as part of the March 2023 Patch Tuesday security updates, marking it as ‘important’. Due to the complexity of an attack and required user interaction, the tech giant believes that exploitation of this bug is ‘less likely’.

“The vulnerability is in the web client, but the malicious scripts executed in the victim’s browser translate into actions executed in the (remote) cluster. A victim user would have to click the stored XSS payload injected by the attacker to be compromised,” Microsoft notes in its advisory.

Organizations using Azure Service Fabric Explorer version 9.1.1436.9590 or earlier are advised to update to a patched release as soon as possible. No action is required from Microsoft customers with automatic updates enabled.

Related:Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data

Related: Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April

Related: Microsoft SmartScreen Zero-Day Exploited to Deliver Magniber Ransomware

Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution