Threat Watch

Microsoft Fixes Bug That Let Attackers Hijack Azure Linux Clusters

Microsoft has fixed a container escape vulnerability in the Service Fabric (SF) application hosting platform that would allow threat actors to escalate privileges to root, gain control of the host node, and compromise the entire SF Linux cluster. Service Fabric is a platform for business-critical applications that hosts over 1 million apps, according to Microsoft data. It also powers many Microsoft products, including but not limited to Azure SQL Database, Azure Cosmos DB, Microsoft Intune, Azure Event Hubs, Azure IoT Hub, Dynamics 365, Skype for Business, Cortana, Microsoft Power BI, and multiple core Azure services. The SF security flaw is tracked as CVE-2022-30137 and was dubbed FabricScape by Palo Alto Networks’ Unit 42 researchers, who discovered it and reported it to Microsoft on January 30. The vulnerability is due to a race-conditioned arbitrary write in the Data Collection Agent (DCA) Service Fabric component (running as root) that enables attackers to overwrite files in the node file system with malicious content by creating symlinks to gain code execution. Redmond addressed the vulnerability with the release of the Microsoft Azure Service Fabric 9.0 Cumulative Update on June 14 according to Unit 42’s report (Microsoft says the fix was made available on May 26).


Fixes for this flaw have been pushed to automatically updated Linux clusters starting on June 14, after the security advisory detailing the bug was published. Customers who have enabled automatic updates on their Linux clusters don’t need to take any further action. However, those running Azure Service Fabric without automatic updates are advised to upgrade their Linux clusters to the most recent Service Fabric release as soon as possible. Microsoft says that customers that haven’t enabled automatic updates to have been notified about this issue via portal notifications sent through Azure Service Health.