Cloud security company Orca has stated that Microsoft’s Azure Service Fabric Explorer has a severe vulnerability that could potentially allow a remote, unauthenticated attacker to execute arbitrary code.
Tracked as CVE-2023-23383 (CVSS score of 8.2), the bug is described as a cross-site scripting (XSS) issue that could lead to the execution of code on containers hosted on a Service Fabric node. Referred to as ‘Super FabriXss’, the flaw resided in a ‘Node Name’ parameter, which allowed an attacker to embed an iframe to retrieve files from a remote server controlled by the attacker.
By exploiting the security defect, an attacker could execute a malicious PowerShell reverse shell, potentially leading to system takeover. Both Linux and Windows clusters were found vulnerable to the attack. The researchers then crafted a URL and enabled the Cluster Event Type under the Events tab, which allowed them to trigger a JavaScript payload, eventually achieving remote code execution (RCE).
Orca Security’s proof-of-concept (PoC) uses a URL with an embedded iframe that triggers an upgrade of an Internet Information Services (IIS) application that includes an instruction to download a .bat file containing an encoded reverse shell. The attacker can then abuse the reverse shell to gain remote access to the application and use it to launch further attacks, access sensitive information, or potentially take over the cluster node hosting the container.
Microsoft addressed the vulnerability as part of the March 2023 Patch Tuesday security updates, marking it as ‘important’. Due to the complexity of an attack and required user interaction, the tech giant believes that exploitation of this bug is ‘less likely’.
Organizations using Azure Service Fabric Explorer version 9.1.1436.9590 or earlier are advised to update to a patched release as soon as possible. No action is required from Microsoft customers with automatic updates enabled.
In summary, a high-severity vulnerability in Microsoft’s Azure Service Fabric Explorer revealed by Orca Security could have allowed a remote, unauthenticated attacker to execute arbitrary code. By exploiting the security defect, an attacker could execute a malicious PowerShell reverse shell, leading to system takeover. Microsoft addressed the vulnerability as part of the March 2023 Patch Tuesday security updates, and organizations using Azure Service Fabric Explorer version 9.1.1436.9590 or earlier are advised to update to a patched release as soon as possible.
Key Points:
- High-severity vulnerability in Microsoft’s Azure Service Fabric Explorer could have allowed a remote, unauthenticated attacker to execute arbitrary code.
- By exploiting the security defect, an attacker could execute a malicious PowerShell reverse shell, leading to system takeover.
- Microsoft addressed the vulnerability as part of the March 2023 Patch Tuesday security updates.
- Organizations using Azure Service Fabric Explorer version 9.1.1436.9590 or earlier are advised to update to a patched release as soon as possible.