Connect with us

Hi, what are you looking for?



Azure Service Fabric Vulnerability Can Lead to Cluster Takeover

Microsoft has patched a vulnerability that could allow an attacker with access to an Azure Linux container to escalate privileges and take over the entire cluster.

Microsoft has patched a vulnerability that could allow an attacker with access to an Azure Linux container to escalate privileges and take over the entire cluster.

Tracked as CVE-2022-30137, the vulnerability impacts Service Fabric, Microsoft’s container orchestrator that provides management of services across container clusters. Microsoft says Service Fabric hosts over one million applications.

The security issue is exploitable only on containers with access to the Service Fabric runtime, which implies access to the log directory, according to Palo Alto Networks security researchers, who identified and reported the issue.

Service Fabric clusters consider hosted applications to be trusted, thus allowing them to access the Service Fabric runtime data by default, which means that applications can access information about their environment and write logs to specific locations, the researchers note.

The security hole impacts Data Collection Agent (DCA), a Service Fabric component that “handles files that could be modified by containers”, thus allowing for container escape and root access to the node. DCA uses the LoadFromFile and SaveToFile functions to read from and write to files, respectively.

“This functionality results in a symlink race. An attacker in a compromised container could place malicious content in the file that LoadFromFile reads. While it continues to parse the file, the attacker could overwrite the file with a symlink to a desirable path so that later SaveToFile will follow the symlink and write the malicious content to that path,” Palo Alto Networks explains.

According to Microsoft, an attacker able to execute code inside a container that has access to the Service Fabric runtime would also need read/write access to the cluster to successfully exploit the vulnerability. The vulnerability exists in both Linux and Windows clusters, but can only be exploited on Linux.

Advertisement. Scroll to continue reading.

On May 26, Microsoft released a fix for the bug in Service Fabric runtime and delivered it to all Azure customers with automatic updates enabled. On June 14, Microsoft published an advisory on the vulnerability and announced the patches for customers with automatic updates. All Azure customers are advised to apply the available security updates as soon as possible.

“Azure Service Fabric team is releasing a patch to further strengthen the security in the Linux cluster by adapting the principle of path to least privilege,” Microsoft said in its advisory.

Related: Microsoft Dismisses False Reports About End of Patch Tuesday

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Microsoft Azure Vulnerability Allowed Code Execution, Data Theft

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.