Microsoft Azure Functions Vulnerable to Docker Escape Bug


An unpatched vulnerability in Microsoft Azure Functions has been found, this was announced by Paul Litvak, a cybersecurity researcher. This could be used by an attacker to intensify privileges and escape the Docker container used for hosting them.

The popularity of Docker makes it an attractive target for cybercriminals who are always looking for systems that they can exploit
The popularity of Docker makes it an attractive target for cybercriminals who are always looking for systems that they can exploit
Key Facts
  1. 1

    The trigger code is an HTTP request configured to call an Azure Function

  2. 2

    The researchers first created an HTTP trigger to gain a foothold over the Function container

  3. 3

    Mesh binary was identified to contain a flaw that could be exploited to grant the app user that runs the Function root permissions.


The Azure Functions triggered by HTTP requests run for very few minutes, whereas the user's code is being run in the background by an Azure-Managed container without the user managing their infrastructure.

Though Microsoft has concluded that the issue has no security impact whatsoever on Azure Functions users, there is a possibility the extended privilege assigned to the container (using the flag) can be abused to escape the Docker container and run an erratic command on the host.

This is because the Mesh binary itself is undocumented and has little information, the researchers at Intezer found references to it in a public build log of a Docker image with this path “/root/mesh/init”, which they used as a privileged escalation.

In a statement put out by Microsoft, “The vulnerability has no security impact on Functions users because the host is still protected by another defense boundary against the elevated position we reached in the container host.” This came as part of Intezer Lab’s investigation into the Azure computing infrastructure.

Azure Functions, analogous to Amazon AWS Lambda, is a serverless solution that enables users to run event-triggered code without the need to explicitly provision or manage the infrastructure while making it possible to scale and allocate resources and processing on demand.

By incorporating Docker into the mix, developers can quickly deploy and run Azure Functions in the cloud or on-premises.

A proof-of-concept (POC) exploit code has been released on GitHub by Intezer to probe the Docker host environment.

According to Intezer Lab researchers, attackers can find a way in through vulnerable third-party software, as vulnerabilities are sometimes out of the cloud user’s control.

Finally, it is of utmost importance that protective measures are put in place to identify and terminate when the hacker executes unauthorized code in your production environment.

Get similar stories in your inbox weekly, for free

Is this news interesting? Share it with your followers

Latest stories

200 Million Certificates in 24 Hours

Let's Encrypt has been providing free Certificate Authority (CA) for websites in need of them …

Gatling VS K6

Gatling and K6 are performance load testing tools, and they are both open source, easy …

Red Hat Ansible Platform 1 vs 2; What’s the Difference?

Red Hat Ansible is a platform used by enterprises to manage, unify and execute infrastructure …

Domino Data Labs Raised $100 Million in the Latest Funding Round

Culled from the news released by Domino Data labs on funding and the company's progress …

New Release: The Microsoft Azure Purview Is Now Available on General Availability

News report detailing the announcement of the release of Azure purview on GA

Google Introduces Online Training Program to Improve Cloud Skills

Google addresses existing cloud personnel deficiency with training programs.