Microsoft Azure Functions Vulnerable to Docker Escape Bug
An unpatched vulnerability in Microsoft Azure Functions has been found, this was announced by Paul Litvak, a cybersecurity researcher. This could be used by an attacker to intensify privileges and escape the Docker container used for hosting them.
The trigger code is an HTTP request configured to call an Azure Function
The researchers first created an HTTP trigger to gain a foothold over the Function container
Mesh binary was identified to contain a flaw that could be exploited to grant the app user that runs the Function root permissions.
The Azure Functions triggered by HTTP requests run for very few minutes, whereas the user's code is being run in the background by an Azure-Managed container without the user managing their infrastructure.
Though Microsoft has concluded that the issue has no security impact whatsoever on Azure Functions users, there is a possibility the extended privilege assigned to the container (using the flag) can be abused to escape the Docker container and run an erratic command on the host.
This is because the Mesh binary itself is undocumented and has little information, the researchers at Intezer found references to it in a public build log of a Docker image with this path “/root/mesh/init”, which they used as a privileged escalation.
In a statement put out by Microsoft, “The vulnerability has no security impact on Functions users because the host is still protected by another defense boundary against the elevated position we reached in the container host.” This came as part of Intezer Lab’s investigation into the Azure computing infrastructure.
Azure Functions, analogous to Amazon AWS Lambda, is a serverless solution that enables users to run event-triggered code without the need to explicitly provision or manage the infrastructure while making it possible to scale and allocate resources and processing on demand.
By incorporating Docker into the mix, developers can quickly deploy and run Azure Functions in the cloud or on-premises.
A proof-of-concept (POC) exploit code has been released on GitHub by Intezer to probe the Docker host environment.
According to Intezer Lab researchers, attackers can find a way in through vulnerable third-party software, as vulnerabilities are sometimes out of the cloud user’s control.
Finally, it is of utmost importance that protective measures are put in place to identify and terminate when the hacker executes unauthorized code in your production environment.