Connect with us

Hi, what are you looking for?


Cloud Security

Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution

A high-severity vulnerability in Azure Service Fabric Explorer could have allowed a remote, unauthenticated attacker to execute arbitrary code.

A high-severity vulnerability in Microsoft’s Azure Service Fabric Explorer could have allowed a remote, unauthenticated attacker to execute arbitrary code, cloud security firm Orca says.

Tracked as CVE-2023-23383 (CVSS score of 8.2), the bug is described as a cross-site scripting (XSS) issue that could lead to the execution of code on containers hosted on a Service Fabric node.

Referred to as ‘Super FabriXss’, the flaw resided in a ‘Node Name’ parameter, which allowed an attacker to embed an iframe to retrieve files from a remote server controlled by the attacker.

By exploiting the security defect, an attacker could execute a malicious PowerShell reverse shell, allowing them to run code on the container deployed to the cluster, potentially leading to system takeover. Both Linux and Windows clusters were found vulnerable to the attack.

After creating a new Azure Service Fabric, the researchers observed that modifying a Node name in the user interface is reflected in the Node’s independent dashboard.

The researchers then crafted a URL and enabled the Cluster Event Type under the Events tab, which allowed them to trigger a JavaScript payload, eventually achieving remote code execution (RCE).

Orca Security’s proof-of-concept (PoC) uses a URL with an embedded iframe that triggers an upgrade of an Internet Information Services (IIS) application that includes an instruction to download a .bat file containing an encoded reverse shell.

Advertisement. Scroll to continue reading.

The attacker can then abuse the reverse shell to gain remote access to the application and use it to launch further attacks, access sensitive information, or potentially take over the cluster node hosting the container.

An attacker could create a custom URL that, when accessed by an authenticated user with appropriate permissions, could instruct the user to enable the Cluster Event Type, triggering the code execution chain.

“It’s worth noting that this attack takes advantage of the Cluster Type Toggle options under the Events Tab in the Service Fabric platform that allows an attacker to overwrite an existing Compose deployment by triggering an upgrade with a specially crafted URL from XSS vulnerability,” Orca explains.

Microsoft addressed the vulnerability as part of the March 2023 Patch Tuesday security updates, marking it as ‘important’. Due to the complexity of an attack and required user interaction, the tech giant believes that exploitation of this bug is ‘less likely’.

“The vulnerability is in the web client, but the malicious scripts executed in the victim’s browser translate into actions executed in the (remote) cluster. A victim user would have to click the stored XSS payload injected by the attacker to be compromised,” Microsoft notes in its advisory.

Organizations using Azure Service Fabric Explorer version 9.1.1436.9590 or earlier are advised to update to a patched release as soon as possible. No action is required from Microsoft customers with automatic updates enabled.

Related: Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data

Related: Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April

Related: Microsoft SmartScreen Zero-Day Exploited to Deliver Magniber Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...