Researchers at Point 42 discovered a flaw in Microsoft Azure’s Fabric, dubbed ‘FabricScape’, propagating the ongoing series of vulnerabilities that the platform has been facing. This vulnerability allows bad actors using Linux to escalate their own privileges to the extent of entire Linux clusters becoming compromised.
What is the threat?
This vulnerability exists in the race-conditioned arbitrary write in at the Data Collection Agent component of Microsoft Azure Fabric. This condition requires the computer to parse several components of a file in a given order. When exploited, this allows a bad actor the opportunity to overwrite and consequently compromise the file. On Linux, it is possible for attackers to exploit this Race System to escalate their own privileges to a level that makes the cluster unsafe altogether. On Microsoft, it has been determined that these privileges are not as harmful as they are in Linux because unprivileged actors cannot create symlink environments in Windows. Once root permissions have been escalated, attackers can take over clusters, replace files, and execute code, making files susceptible to malefaction and corruption.
Why is it noteworthy?
This is especially noteworthy because Microsoft Azure is a widely used web application. The growing list of vulnerabilities discovered makes it easy for bad actors to gain access to users’ hosted environment and susceptible to cyberattacks. This vulnerability poses a potential for bad actors to manipulate specific files and manipulate their privileges in Linux clusters, posing substantial risk to those who utilize these services.
What is the exposure risk?
This vulnerability gives bad actors access to escalate privileges on Linux clusters, allowing them to corrupt files and control clusters. Once exploited, they can also execute codes to unwilling users and replace files to a different file type, posing danger to the users and their data.
What are the recommendations?
Barracuda MSP recommends businesses using Microsoft Azure to enable automatic updates of the applications and ensure latest patches are applied when available.
If you have any questions, please contact our Security Operations Center.