Microsoft Azure Functions Vulnerable to Docker Escape Bug
An unpatched vulnerability in Microsoft Azure Functions has been found, this was announced by Paul Litvak, a cybersecurity researcher. This could be used by an attacker to intensify privileges and escape the Docker container used for hosting them.
The trigger code is an HTTP request configured to call an Azure Function
The researchers first created an HTTP trigger to gain a foothold over the Function container
Mesh binary was identified to contain a flaw that could be exploited to grant the app user that runs the Function root permissions.
The Azure Functions triggered by HTTP requests run for very few minutes, whereas the user's code is being run in the background by an Azure-Managed container without the user managing their infrastructure.
Though Microsoft has concluded that the issue has no security impact whatsoever on Azure Functions users, there is a possibility the extended privilege assigned to the container (using the flag) can be abused to escape the Docker container and run an erratic command on the host.
This is because the Mesh binary itself is undocumented and has little information, the researchers at Intezer found references to it in a public build log of a Docker image with this path “/root/mesh/init”, which they used as a privileged escalation.
In a statement put out by Microsoft, “The vulnerability has no security impact on Functions users because the host is still protected by another defense boundary against the elevated position we reached in the container host.” This came as part of Intezer Lab’s investigation into the Azure computing infrastructure.
Azure Functions, analogous to Amazon AWS Lambda, is a serverless solution that enables users to run event-triggered code without the need to explicitly provision or manage the infrastructure while making it possible to scale and allocate resources and processing on demand.
By incorporating Docker into the mix, developers can quickly deploy and run Azure Functions in the cloud or on-premises.
A proof-of-concept (POC) exploit code has been released on GitHub by Intezer to probe the Docker host environment.
According to Intezer Lab researchers, attackers can find a way in through vulnerable third-party software, as vulnerabilities are sometimes out of the cloud user’s control.
Finally, it is of utmost importance that protective measures are put in place to identify and terminate when the hacker executes unauthorized code in your production environment.
Get similar news in your inbox weekly, for free
Share this news:
Today, companies make the most use of cloud technology regardless of their size and sector. …
In this post, you will learn how to optimize your cybersecurity and performance monitoring tools …
We launched the first episode of a webinar series to tackle one of the major …