Researchers at Orca Security disclosed how they found a remote code execution vulnerability in Azure Service Fabric Explorer.
The vulnerability was reported to the Microsoft Security Response Center (MSRC) with responsible disclosure and was included by Microsoft in their March 2023 Patch Tuesday round. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This newly-discovered vulnerability is listed as CVE-2023-23383 with a CVSS score of 8.2 out of 10.
This vulnerability was dubbed Super FabriXss and it’s a vulnerability that exists on Azure Service Fabric Explorer version 9.1.1436.9590 and earlier.
The researcher’s story is interesting as it shows that it is possible to find new Cross-Site Scripting (XSS) vulnerabilities in weathered and complex systems like Azure. And it’s frightening because the Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication.
Azure Service Fabric Explorer (SFX) is an open-source tool for inspecting and managing Azure Service Fabric clusters. A Service Fabric cluster is a network-connected collection of virtual or physical computers where your microservices are deployed and managed. A cluster can have thousands of nodes.
What the researchers found after some testing is that when the Node name is modified in the SFX UI, it is reflected in the Node’s independent dashboard. So they set out to try some different names to observe how the server handles non-existent and/or modified values for different variables.
By trying some simple HTML code like a H1 tag that is often used to display the main topic on a web page in a larger font size, they found that clicking on Cluster in the options on the Events tab resulted in a new title being displayed as a large title, due to the effect of the
Image courtesy of Orca Security
While this is no serious attack, it shows that there are ways to circumvent the input sanitation that takes place, or should take place and it might be possible to inject more complex HTML code.
How can we use this in a full-fletched attack?
For a full analysis, feel free to ready the blog by the researchers which goes into more detail. But, roughly, the attack would work like this:
The attacker sends a crafted URL to the Service Fabric Administrator. This URL includes an iframe that uses a simple fetch request to trigger an upgrade of a Compose deployment. The upgrade process overwrites the existing deployment with a new, malicious one. This new deployment includes a CMD instruction in its Dockerfile that will download a remote .bat file.
The .bat file retrieves a second file that contains an encoded reverse shell. This reverse shell allows the attacker to gain remote access to the target system and potentially take control of the cluster node where the container is hosted. By taking control of a legitimate application in this way, the attacker can then use it as a platform to launch further attacks or gain access to sensitive data or resources.
If you have automatic updates enabled, no action is needed. However, for those who choose to manually update and you are on version 9.1.1436.9590 or earlier, please refer to Manage Service Fabric cluster upgrades for instructions on how to update your Service Fabric Cluster.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.