New Azure Flaw
A new vulnerability has been discovered in Microsoft’s Azure Service Fabric Explorer (SFX) that would enable unauthenticated, remote threat actors to execute code on a container hosted on a Service Fabric node.
Dubbed Super FabriXss by the Orca Security team, the cross-site scripting (XSS) flaw (CVE-2023-23383) has a CVSS score of 8.2 and affects SFX version 9.1.1436.9590 or earlier.
“The vulnerability arises from a vulnerable ‘Node Name’ parameter, which can be exploited to embed an iframe in the user’s context,” wrote Orca security researcher Lidor Ben Shitrit in a Thursday advisory.
The iframe (an HTML element designed to embed web content within websites) then retrieves remote files from an attacker-controlled server, leading to the execution of a malicious PowerShell reverse shell.
“This attack chain can ultimately result in remote code execution on the container which is deployed to the cluster, potentially allowing an attacker to take control of critical systems,” Shitrit added.
The Orca Security team confirmed it reported the vulnerability on December 20 2022 to the Microsoft Security Response Center (MSRC), which investigated the issue and released a fix as part of its March 2023 Patch Tuesday.
Read more on the latest Patch Tuesday here: Microsoft Patches Two Zero Days This Month
According to Shitrit, this is the second XSS vulnerability that Orca has discovered in Azure Service Fabric Explorer. But, while the first one (called FabriXss) affected both Linux and Windows Clusters, the SuperFabriXxs flaw only exists in the Windows Cluster. Still, Shitrit warned the new vulnerability is substantially more dangerous than the previous one discovered by the team.
“With Super FabriXss, a remote unauthenticated attacker can execute code on a container hosted on one of the Service Fabric nodes,” reads the advisory. “An attacker could potentially gain control of critical systems and cause significant damage.”
Orca Security has created a proof of concept for the Super FabriXss Vulnerability, which is described in detail in the the team’s technical write-up.