Security researchers at Intezer Labs Ltd. have discovered a new vulnerability in Azure Functions, which allows an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host.
Azure Functions is advertised by Microsoft as a serverless compute solution that allows developers to write less code, maintain less infrastructure, save on costs, and keep all their applications running without having to worry about deploying and maintaining servers.
The software allows developers to implement their system’s logic into readily available blocks of code called “functions†and utilize as many resources and application instances as they need to build a Web API, respond to database changes, manage message queues, or process IoT data streams. Developers are charged basis the resources they actually use, thereby saving them a lot of money in the process.
While Azure Functions continues to grapple with Amazon’s Lambda and Google’s Cloud Functions for greater share in a market saturated with serverless compute offerings, a team of security researchers, led by researcher Paul LitvakOpens a new window at Intezer Labs, have somewhat spoiled the party by disclosing a vulnerability in Azure Functions that allows an attacker to escalate privileges and then escape the Azure Functions Docker container to the Docker host.
What this means is that threat actors can potentially take over root privileges of containers and later break away from the Docker hosting the container. This is possible as developers have the flexibility to run any code they want inside Azure-managed containers, and the researchers exploited this to gain a foothold over the Function container and to understand its internals.
“Escalating to root within a container is a remarkable achievement, yet escalating privileges within containers is not the final destination for an attacker. Compromising the Docker host would give them much more control, allowing them to break away from the container which might be monitored and moving to the Docker host which is often neglected in terms of security,†Litvak said in a blog postOpens a new window .
“Instances like this underscore that vulnerabilities are sometimes out of the cloud user’s control. Attackers can find a way inside through vulnerable third-party software. While you should focus on reducing the attack surface as much as possible, you also need to prioritize the runtime environment to make sure you don’t have any malicious code lurking in your systems,†he added.
However, Microsoft has taken a call following Intezer’s disclosure of the vulnerability, which is not to fix it, even though a proof of concept (PoC) was made publicly available. After an internal assessment, Microsoft concluded that the vulnerability does not impact security since the Docker host is securely sandboxed by a HyperV (Virtual Machine Manager) boundary. Though the company made changes to block /etc. and the /sys directories in response to the disclosure.
The proof of concept for the attack technique to exploit the vulnerability is detailed below:
See Also: Cloud Security: 4 Predictions on What Lies Ahead for Organizations in 2021
Previously, the security team at Intezer also discovered a privilege escalation vulnerability in Azure App Services and a similar vulnerability in the Azure Network Watcher Agent for Linux, an official Azure VM extension. The formerOpens a new window allowed attackers to take over Azure App Services’ Git repository and implant phishing pages, while the vulnerability in Azure Network Watcher Agent for LinuxOpens a new window allowed system users to escalate to root privileges by simply conducting a system reboot.
“As enterprises adopt new approaches, like serverless and micro-services architecture, simply relying on the underlying security of these services or those from the cloud provider is just asking for trouble,†said Jigar ShahOpens a new window , Vice President of Products at Valtix Inc. to SiliconANGLE.
“The old mantra of reducing the attack surface and defense in depth is still crucial: use attribute-based access control, and apply URL filtering for all outbound flows. Network Security 101 does not disappear because we moved to public clouds,†he added, in closing.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!