Microsoft Azure Functions Vulnerable to Docker Escape Bug


An unpatched vulnerability in Microsoft Azure Functions has been found, this was announced by Paul Litvak, a cybersecurity researcher. This could be used by an attacker to intensify privileges and escape the Docker container used for hosting them.

The popularity of Docker makes it an attractive target for cybercriminals who are always looking for systems that they can exploit
The popularity of Docker makes it an attractive target for cybercriminals who are always looking for systems that they can exploit
Key Facts
  1. 1

    The trigger code is an HTTP request configured to call an Azure Function

  2. 2

    The researchers first created an HTTP trigger to gain a foothold over the Function container

  3. 3

    Mesh binary was identified to contain a flaw that could be exploited to grant the app user that runs the Function root permissions.


The Azure Functions triggered by HTTP requests run for very few minutes, whereas the user's code is being run in the background by an Azure-Managed container without the user managing their infrastructure.

Though Microsoft has concluded that the issue has no security impact whatsoever on Azure Functions users, there is a possibility the extended privilege assigned to the container (using the flag) can be abused to escape the Docker container and run an erratic command on the host.

This is because the Mesh binary itself is undocumented and has little information, the researchers at Intezer found references to it in a public build log of a Docker image with this path “/root/mesh/init”, which they used as a privileged escalation.

In a statement put out by Microsoft, “The vulnerability has no security impact on Functions users because the host is still protected by another defense boundary against the elevated position we reached in the container host.” This came as part of Intezer Lab’s investigation into the Azure computing infrastructure.

Azure Functions, analogous to Amazon AWS Lambda, is a serverless solution that enables users to run event-triggered code without the need to explicitly provision or manage the infrastructure while making it possible to scale and allocate resources and processing on demand.

By incorporating Docker into the mix, developers can quickly deploy and run Azure Functions in the cloud or on-premises.

A proof-of-concept (POC) exploit code has been released on GitHub by Intezer to probe the Docker host environment.

According to Intezer Lab researchers, attackers can find a way in through vulnerable third-party software, as vulnerabilities are sometimes out of the cloud user’s control.

Finally, it is of utmost importance that protective measures are put in place to identify and terminate when the hacker executes unauthorized code in your production environment.

Get similar news in your inbox weekly, for free

Share this news:

Latest stories

How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …