Uncovering FabricScape

Palo Alto Networks Teams Up With Microsoft to Mitigate New Cloud Vulnerability (CVE-2022-30137 aka FabricScape)

The Unit 42 threat research group at Palo Alto Networks today released a research blog describing FabricScape – a vulnerability of important severity that our cloud research team discovered in the open source Service Fabric, an infrastructure for application hosting on containers and virtual machines. The vulnerability was assigned CVE-2022-30137. We approached Microsoft after learning that the vulnerability affected the Azure Service Fabric, which Microsoft and many other organizations rely upon for cloud deployments. We teamed up with the Microsoft Security Response Center to develop a fix for the vulnerability, which Microsoft released on June 14.

We’re releasing details about this vulnerability to raise awareness of potential threats to cloud environments as part of ongoing efforts by Palo Alto Networks, the Prisma Cloud team and Unit 42 to improve public cloud security. Unit 42 researchers analyze open-source software and cloud infrastructure on an ongoing basis to identify new vulnerabilities and emerging threats.

Here’s some more information about FabricScape:

What is FabricScape?

FabricScape is a recently discovered vulnerability in Service Fabric. The vulnerability could allow malicious actors to take over Linux hosting environments. It allows a compromised container to escape and take over the cluster running it. Containers could become malicious if they are broken into through either a known vulnerability or zero-day vulnerability, or through a supply-chain attack such as typosquatting or a malicious package. Unit 42 found the vulnerability affected the Azure Service Fabric offering, which many organizations, including Microsoft, rely upon for their cloud deployments.

Who uses Service Fabric?

Service Fabric is open-source software that powers many Azure and Microsoft services such as Azure Cosmos DB and Azure SQL Database, hosting over a million applications and running millions of cores daily.

What is the impact if attacked with FabricScape?

Once exploited, FabricScape could allow adversaries to escalate privileges to gain full control over the entire cluster. From there, attackers could perform lateral movement and steal, manipulate or destroy an organization’s data. Attackers could even shut down the entire cluster, causing a denial of service attack.

A multitenant takeover is only possible with FabricScape if an organization uses Service Fabric to host multiple tenants under the same cluster. Fortunately, a multitenant takeover was not possible on the Azure services that Unit 42 tested, as Microsoft disabled runtime access.

Are attackers actively exploiting this vulnerability?

We do not know of any attacks that have occurred in the wild.

How can I know if I am affected?

Organizations running Linux Service Fabric clusters should check their cluster version and verify the version is at least 9.0.1035.1. Any application that is powered by a Service Fabric Linux cluster with runtime access, which is granted by default, is affected.

Organizations that use Azure offerings that are based on managed Service Fabric clusters are safe as Microsoft updated its deployments prior to the announcement.

How is this similar to Azurescape?

Azurescape describes a vulnerability in Azure, Microsoft’s cloud platform, that could have caused a complete takeover of cloud environments known as “clusters.” The Unit 42 cloud research team at Palo Alto Networks discovered the vulnerability and collaborated with Microsoft to promptly resolve it. Unit 42 and Microsoft have no knowledge of this vulnerability being exploited in the wild. FabricScape is very similar to Azurescape in the sense that both vulnerabilities allow gaining administrative privileges of a cluster.

How did you discover FabricScape?

As part of an in-depth review of Azure cloud infrastructure security, Unit 42 researcher Aviv Sasson discovered that Service Fabric may be susceptible to a container escape and cluster takeover. From that point, Aviv tested the issue on Azure Service Fabric and was able to elevate privileges and eventually gain administrative access to the Service Fabric cluster.

Takeaways

In consideration of the shared responsibility model, cloud users are encouraged to adopt a defense-in-depth approach to cloud security to ensure breaches are contained and detected, whether the threat is from the outside or from the platform itself. A combination of shift-left security and runtime protection and anomaly detection presents the best chance of combating similar attacks.

To address this specific vulnerability, we advise that customers running Azure Service Fabric without automatic updates enabled should upgrade their Linux clusters to the most recent Service Fabric release. Customers whose Linux clusters are automatically updated do not need to take further action.

Microsoft and Palo Alto Networks recommend avoiding execution of untrusted applications in Service Fabric. See Service Fabric documentation for more information.

Prisma Cloud Protections

Palo Alto Networks customers running Prisma Cloud are protected from this vulnerability in multiple layers:

  • The Host Runtime Protection feature identifies anomalies on VMs and protects against malicious activities. This feature could detect attackers running malicious payloads on hosts after escaping a Service Fabric container.
  • Trusted Images can be used to ensure malicious containers are not run, reducing the possibility a Service Fabric container will be compromised.
  • Vulnerability Management by Prisma Cloud can be used to ensure containers are not breached due to known vulnerabilities in container images. Prisma Cloud users gain visibility into known vulnerabilities in their containers and hosts with its exhaustive Intelligence Stream.

For more in-depth technical information on this vulnerability, read the Unit 42 research blog about FabricScape.