Researchers at Orca Security have discovered a serious vulnerability in Microsoft’s Azure Service Fabric Explorer (SFX), a tool used for managing and monitoring applications.
Dubbed “Super FabriXss”, the flaw is an unauthenticated remote code execution issue that could allow an attacker to leverage an XSS vulnerability to execute code and potentially gain control of affected systems.
While SFX fixed a similar FabriXss flaw last year, this latest vulnerability is far more severe as it enables an attacker to achieve remote code execution on a container without requiring authentication.
The flaw is said to affect Azure Service Fabric Explorer version 9.1.1436.9590 or earlier.
The Super FabriXss flaw resides in the “Events” tab associated with each node in the cluster from the user interface. The vulnerability is a reflected XSS flaw, meaning the script is embedded into a link and is only triggered when the link is clicked. The attack takes advantage of the Cluster Type Toggle options under the Events Tab in the Service Fabric platform.
This enables an attacker to overwrite an existing Compose deployment by triggering an upgrade with a specially crafted URL from the XSS vulnerability.
By taking control of a legitimate application in this way, the attacker can then use it as a platform to launch further attacks or gain access to sensitive data or resources.
Microsoft addressed the issue as part of its March 2023 Patch Tuesday update, with the tech giant describing it as a spoofing vulnerability. According to Microsoft, the vulnerability is in the web client, but the malicious scripts executed in the victim’s browser translate into actions executed in the (remote) cluster.
A victim user would have to click the stored XSS payload injected by the attacker to be compromised.
The discovery of the Super FabriXss vulnerability follows the revelation of a privilege escalation flaw in Azure Function Apps and the discovery of a misconfiguration in Azure Active Directory that exposed a number of applications to unauthorized access, including a content management system that powers Bing.com.