Get in Touch
Azure service containers unauthenticated remote code execution patch released
Indiscriminate, opportunistic targeting.
Any organisation that uses Service Fabric Explorer version 9.1.1436.9590 and earlier are vulnerable to remote code execution (RCE) and is tracked as CVE-2023-23383 (CVSSv3 score of 8.2). Microsoft has released a patch for this vulnerability. We strongly encourage users to update manually as soon as possible if automatic updating is disabled.
This Cross Site Scripting (XSS) vulnerability, called Super FabriXss, is an extension of an earlier vulnerability that was tracked as CVE-2022-35829 called FabriXss. Successful exploitation allows RCE using a crafted link sent to the victim. A Proof of Concept (PoC) has been released.
An attacker who has gained initial access into Azure can send a malicious link with a trusted domain that users will seemingly trust and are more likely to click. Once the link is clicked by the victim, the attacker will execute injected code remotely without any authentication required.
An XSS RCE vector through Azure can allow attackers to pivot to ransomware after initial Azure access. A PoC has been released. This increases the likelihood of exploitation.
Service Fabric Explorer (SFE) versions 9.1.1436.9590 and earlier are vulnerable. Nodes in the SVB are exploitable with the `Cluster` Event Type enabled under the `Events` tab.
Windows Nodes in Microsoft Azure Service Fabric Explorer 9.1.1436.9590 and earlier.
Containment, Mitigations & Remediations
Alongside updating SFE, awareness training for employees so that they can better identify suspicious indicators will help prevent users clicking malicious links. Phishing is a common vector for attackers to gain initial access. Alongside Web proxies to filter suspicious domains, general awareness training will help your employees spot phishing attempts.
Exploitation of this vulnerability requires initial access into Azure. Technical controls should be explored to prevent malicious Azure access. Implementation of multi-factor authentication (MFA) and conditional access policies for stronger authentication are highly encouraged.
Indicators of Compromise
No IoCs have been identified with this particular vulnerability.
Microsoft’s Azure Service Fabric allows deployment and management of microservices at a large scale.
This vulnerability has not been attributed to a threat group.
Service Fabric Explorer Spoofing Vulnerability
Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle (CVE-2023-23383)