Tag Archive for: Azure

Linux Container-Escape Flaw in Azure Service Fabric

/in


Microsoft this week disclosed a serious container-escape vulnerability in its widely used Azure Service Fabric technology, which gives attackers a way to gain root privileges on the host node and take over all other nodes in the cluster.

The privilege-escalation bug is only exploitable on Linux containers, though it is present in Windows container environments as well, Microsoft said in an advisory Tuesday. Security researchers from Palo Alto Networks reported the bug — which they have dubbed FabricScape — along with a fully operational exploit, on Jan. 30, 2022. Microsoft released a fix for the issue (CVE-2022-30137) on June 14, but details on the bug were just released this week.

The fix has been applied to all customers that are subscribed to Microsoft’s automatic update service, but others will need to manually patch to the latest version of Service Fabric. “Customers whose Linux clusters are automatically updated do not need to take further action,” the company said in its bug disclosure announcement.

A Privilege-Escalation Issue

Service Fabric is a Microsoft container-orchestration technology — like Kubernetes. Numerous organizations use it as a platform-as-a-service to deploy and manage containers and microservices-based cloud applications across a cluster of machines. Palo Alto Networks used Microsoft data to estimate that Service Fabric hosts more than 1 million applications daily across millions of cores.

The bug that Palo Alto Network discovered exists in a logging function with high privileges in a Service Fabric component called Data Collection Agent (DCA). Researchers from the security vendor’s Unit 42 threat intelligence team found that an attacker with access to a compromised container could exploit the vulnerability to escalate privileges and gain control of the host node and, from there, escape it and attack the entire cluster.

“The vulnerability allows attackers to take over the entire Service Fabric environment if they get a hold of a single application,” says Ariel Zelivansky, director of security research at Palo Alto Networks. This allows attackers to perform lateral movement and to steal, destroy, or manipulate data. Other actions that an attacker…

Source…

Microsoft investigating alleged Lapsus$ hack of Azure DevOps source code repositories

/in


Microsoft says it is looking into claims that the Lapsus$ data extortion hacking group gained access to its internal Azure DevOps source code repositories and stole data.

The company told BleepingComputer that it was aware of the claims made by the group and was in the process of investigating those claims.

Over the last months, Lapsus$ has compromised a number of major companies including Samsung, Nvidia, Vodafone, Mercado Libre and Ubisoft. Earlier this month, the gang published a massive collection of files, about 190 GB in total, which it said belonged to Samsung Electronics.

The leak allegedly included bootloader source code for recent Samsung devices, algorithms for all biometric unlock operations, source code for Samsung’s activation servers, the full source code used to authenticate Samsung accounts, and secret Qualcomm source code.

While other extortion gangs use ransomware to lock their victims’ machines, Lapsus$ uses a different strategy. It goes after the source code repositories of big companies, steals their proprietary data, and then demands millions of dollars in ransom to give that data back to the victims.

On Sunday, the Lapsus$ gang shared on its Telegram channel a screenshot of what appeared to be data acquired from an official developer account for Azure, Microsoft’s cloud computing business.

The operatives claimed to have gained access to an Azure repository that contained the source code for Cortana as well as other Bing projects.

Lapsus$ said it accessed the repositories by hacking an Azure DevOps server.

An administrator of the Telegram channel later deleted the screenshots and posted the message: “Deleted for now will repost later”.

However, the group left the initials of logged-in user, “IS,” in the screenshot, potentially enabling Microsoft to identify the hacked account.

Microsoft has previously said that a source code leak does not increase the security risk associated with its products.

The company’s security strategy already makes the assumption that bad actors have…

Source…

Microsoft Azure security flaw may have exposed customer data, warns CERT-In

/in


We missed this earlier: The Indian Computer Emergency Response Team (CERT-In) issued an advisory on August 27, warning against a critical security vulnerability in Microsoft Azure’s cloud platform Cosmos DB. According to the advisory, a vulnerability in open-source platform Jupyter Notebook – used for data sharing and visualisation on Cosmos – exposed primary keys of users (which are used for administrative purposes to manage user accounts, according to a Microsoft webpage), potentially giving an attacker admin access to data stored by affected accounts.

According to CERT-In, the vulnerability could allow a hacker unrestricted access to download, delete, or manipulate any user data stored on the Cosmos DB platform.

Earlier this year, Microsoft had reportedly turned the Jupyter Notebook feature on by default for all Cosmos DB instances, including those by Fortune 500 companies Exxon Mobile and Coca-Cola. A day before the CERT-In advisory, Microsoft notified 30% of its customers who may have been impacted by the breach, Reuters reported. Cloud security firm Wiz.io who first alerted Microsoft about the issue, said that the vulnerability had existed for a few months before it was flagged and may have impacted all customers. Here’s an illustration of the vulnerability:

https://spinsafe.com/wp-content/uploads/2021/09/Microsoft-Azure-security-flaw-may-have-exposed-customer-data-warns.gif

Source: Wix.io

Microsoft asks customers to reset keys

On August 26, according to a Wix.io blog, Microsoft mailed its customers the following statement:

Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.

We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of…

Source…

‘OMIGOD’ Microsoft Azure vulnerabilities expose users to hacking

/in


A range of recently revealed vulnerabilities in Microsoft Corp.’s Azure remain vulnerable to exploitation as customers may be required to apply the patch manually.

Dramatically dubbed OMIGOD by researchers at Wiz Inc. in a notice Tuesday, the vulnerabilities relate to the Open Manage Infrastructure agent that’s deployed when Azure users set up a Linux virtual machine in the cloud and enable certain Azure services. Attackers can use the four vulnerabilities to obtain root privileges and execute malicious code, including ransomware with file encryption.

According to Sophos, one of the vulnerabilities is a bug that boils down to “a laughably easy trick” because it requires no password. Rather than guessing a valid authentication token to insert into a fraudulent OMI web request, simply omitting all mention of the authentication token delivers access.

The vulnerabilities affect users of Azure services, including Automation, Automatic Update, Operations Management Suite, Log Analytics, Configuration Management, Diagnostics and Container Insights.

In a typical case of vulnerabilities being revealed, particularly with cloud-based services, patches would be applied, but this is not a typical case. Microsoft offered a patch in August, but Azure services remain exposed.

The problem is that users may have to apply the patches themselves, even though the issue resides in Azure Linux installs. Complicating the matter further, many users may not be aware that they have OMI installed, since it’s installed when users add one of those Azure services.

The Wiz researchers conservatively estimate that thousands of Azure customers and millions of endpoints are affected. Further, they noted, it might not just be those using Azure who are affected, since OMI is also independently installed on other Linux machines and is often used on-premises.

“Management agents like OMI are part of the overall attack surface for a deployed system and as such need to be accounted for within the threat models associated with the application,” Tim Mackey, principal security strategist at electronic designed automation firm Synopsys Inc.’s Cybersecurity Research Center, told SiliconANGLE.

“Put…

Source…