Get in Touch
Please get in touch using the form below.
Azure service containers unauthenticated remote code execution patch released
Target Industry
Indiscriminate, opportunistic targeting.
Overview
Any organisation that uses Service Fabric Explorer version 9.1.1436.9590 and earlier are vulnerable to remote code execution (RCE) and is tracked as CVE-2023-23383 (CVSSv3 score of 8.2). Microsoft has released a patch for this vulnerability. We strongly encourage users to update manually as soon as possible if automatic updating is disabled.
This Cross Site Scripting (XSS) vulnerability, called Super FabriXss, is an extension of an earlier vulnerability that was tracked as CVE-2022-35829 called FabriXss. Successful exploitation allows RCE using a crafted link sent to the victim. A Proof of Concept (PoC) has been released.
Impact
An attacker who has gained initial access into Azure can send a malicious link with a trusted domain that users will seemingly trust and are more likely to click. Once the link is clicked by the victim, the attacker will execute injected code remotely without any authentication required.
An XSS RCE vector through Azure can allow attackers to pivot to ransomware after initial Azure access. A PoC has been released. This increases the likelihood of exploitation.
Vulnerability Detection
Service Fabric Explorer (SFE) versions 9.1.1436.9590 and earlier are vulnerable. Nodes in the SVB are exploitable with the `Cluster` Event Type enabled under the `Events` tab.
Affected Products
Windows Nodes in Microsoft Azure Service Fabric Explorer 9.1.1436.9590 and earlier.
Containment, Mitigations & Remediations
Alongside updating SFE, awareness training for employees so that they can better identify suspicious indicators will help prevent users clicking malicious links. Phishing is a common vector for attackers to gain initial access. Alongside Web proxies to filter suspicious domains, general awareness training will help your employees spot phishing attempts.
Exploitation of this vulnerability requires initial access into Azure. Technical controls should be explored to prevent malicious Azure access. Implementation of multi-factor authentication (MFA) and conditional access policies for stronger authentication are highly encouraged.
Indicators of Compromise
No IoCs have been identified with this particular vulnerability.
Threat Landscape
Microsoft’s Azure Service Fabric allows deployment and management of microservices at a large scale.
Threat Group
This vulnerability has not been attributed to a threat group.
Mitre Methodologies
Tactic:
T1059.007 – JavaScript Execution
Further Information
Service Fabric Explorer Spoofing Vulnerability
