This is the Trace Id: 377ca9c2a6295c5444b5573c110e8e10
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

Service Fabric Privilege Escalation from Containerized Workloads on Linux

MSRC
/ By MSRC /

Under Coordinated Vulnerability Disclosure (CVD), cloud-security vendor Palo Alto Networks informed Microsoft of an issue affecting Service Fabric (SF) Linux clusters (CVE-2022-30137). The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster.

Though the bug exists on both Operating System (OS) platforms, it is only exploitable on Linux; Windows has been thoroughly vetted and found not to be vulnerable to this attack. The fix for this privilege escalation issue was made available on 26 May 2022 and has been applied to all customers subscribed to automatic updates.

Customer Impact

Customers without automatic updates enabled should upgrade their Linux clusters to the most recent SF release. Release notes can be found here. Customers whose Linux clusters are automatically updated do not need to take further action.

Additionally, if you are running SF Windows clusters, you are not impacted by this issue. However, we always recommend staying updated to the latest release.

Microsoft recommends that customers continue to review all containerized workloads (both Linux and Windows) which are permitted access to their host clusters. By default, a SF cluster is a single-tenant environment and thus there is no isolation between applications. Creating isolation is possible and additional guidance on hosting untrusted code can be found on the Azure Service Fabric security best practices page.

Microsoft’s Mitigation

Once this issue was reported to Microsoft, we took the following steps to investigate and mitigate the issue:

  • 24 May 2022 - We fixed the privilege escalation bug in the SF runtime and started updating the customers with automated updates enabled; specifically, the SF Diagnostics Collection Agent (DCA) was changed to not consume user-generated files written into the container’s log folder.
  • 09 Jun 2022 - We updated our public security guidanceincluding details regarding the implications of hosting untrusted code or having one’s containers compromised.
  • 14 Jun 2022 - CVE-2022-30137 was published for this issue and the fixes were deployed to customers leveraging automatic updates. Customers without automatic updates received portal notifications through Azure Service Health.

Technical Details

For an attack to be successful on the vulnerability, these ordered steps are required:

  • Step 1 : An attacker must compromise a containerized workload deployed by the owner of a Linux SF cluster.

  • Step 2 : The hostile code running inside the container could substitute an index file read by DCA with a symlink.

  • Using an additional timing attack, an attacker could gain control of the machine hosting the SF node.

By design, root access on the machine hosting the SF node is not considered a security boundary in an SF cluster; the highest privileged role on a node is equally privileged anywhere in the same cluster.

Palo Alto Networks posted a blog about this issue available here. We appreciate the opportunity to investigate the findings reported by Palo Alto Networks and thank them for practicing safe security research under the terms of our bug bounty program. More information about the Microsoft Bug Bounty Program and the program’s Terms and Conditions can be found using these links.

Additional references

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads