Microsoft provides guidance after bug found affecting Azure inspection tool

Microsoft has published guidance to address a recently discovered vulnerability affecting a tool used to inspect and manage Azure Service Fabric clusters.

In a coordinated release on Wednesday, Orca Security and Microsoft published notice of CVE-2022-35829 – a vulnerability known as “cross-site scripting” that involves the injection of malicious code into otherwise benign and trusted websites.

Microsoft Azure Service Fabric is a platform for managing distributed applications and containers on a large scale. Service Fabric runs on Windows and Linux, as well as any cloud or datacenter, according to Orca Security.

The bug – known colloquially as FabriXss – was found in the Service Fabric Explorer (SFX) tool. Orca Security’s Lidor Ben Shitrit and Roee Sagi discovered the vulnerability and explained that it allows an attacker to gain full "administrator" permissions on the Service Fabric cluster.

They reported the issue in August to Microsoft, which labeled the bug “important” and published a fix for it within the October Patch Tuesday releases.

Microsoft did not provide comment about the issue, instead directing The Record to a help document created on Wednesday that explains the vulnerability and urges customers to update to the latest SFX version.

“At this time, Microsoft is not aware of any exploitation or abuse of this vulnerability,” the company said, adding that it only affects older versions of SFX and noting that the current default SFX web client (SFXv2) is not vulnerable to attack.

“However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web client version (SFXv1). The issue requires an attacker to already have code deployment and execution privileges in the Service Fabric cluster and for the target to use the vulnerable web client (SFXv1).”

Microsoft said that an upcoming release of Service Fabric will remove SFXv1 and the option to switch to it.

Shitrit and Sagi said they discovered that anyone with a single permission can abuse it to perform actions outside of their purview, including erasing “customized settings such as passwords and security configurations, allowing an attacker to create new passwords and gain full Administrator permissions.”

“As a shared dashboard for users with different privilege levels, Service Fabric Explorer contains several applications and services serving multiple purposes. A Cluster Administrator can create the cluster, manage applications, services, and deploy or restart various Nodes and applications,” the researchers said. 

In their release, they walk through ways to exploit the bug and even provide a video of how it can be done.