Microsoft Warns of Azure Bug

The security analysts of the Palo Alto Networks have recently pronounced about a new vulnerability that has been named Azurescape. According to the report, the issue involved the Azure Container Instances, a cloud service that enables companies to deploy packaged applications (containers) in the cloud.

However, the security experts asserted that this issue allotted a malicious container to hijack different other containers that were held by different platform users. 

Not only this, but they also affirmed that the threat actors exploiting Azurescape could enable them to execute commands in someone else’s containers and obtain access to all data from other clients. 

Potentially affected Azure Container Instances accounts

There is no proper indication that any customer data was being obtained because of this vulnerability. But the report claimed that just for safety and more precaution specific notifications have been sent to customers that were being potentially affected by the researcher’s activities. 

Moreover, they also suggest that the privileged credential was extended to the platform before August 31, 2021.

Background on Azure Container Instances

Azure Container Instances (ACI) was initially published in July 2017, and it was the very first Container-as-a-Service (CaaS) that has been contributed by a major cloud provider. 

But, the ACI, customers can easily use the containers to Azure outwardly maintaining the whole foundation. So, the ACI  generally has concerns regarding:- 

  • Scaling
  • Request routing
  • Scheduling
  • Implementing a serverless experience for all kinds of containers

Scouting the Node Environment

After checking all the nodes carefully the security researchers stated that they have verified that their container was the only customer container. 

However, they have utilized the Kubelet credentials, and not only this but they have also listed the pods and nodes in the cluster.

According to the analysts, the cluster received about 100 customer pods and had nearly 120 nodes. Moreover, every customer has appointed a Kubernetes namespace where their pod ran the caas-d98056cf86924d0fad1159XXXXXXXXXX.

Kubernetes CVE-2018-1002102

The API-server infrequently stretches out to Kubelets, but, the CVE-2018-1002102 marks a security problem in how the API-server is acquainted with Kubelets and it has also accepted redirects. 

However, by redirecting the API-server’s send requests to another node’s Kubelet, a malicious Kubelet can develop into a cluster. 

Influence of the Attack and fix

The malicious Azure user can easily compromise the multitenant Kubernetes clusters that are hosting ACI and the cluster administrator.

While the threat actors could perform commands in other customer containers, as well as it can also exfiltrate codes and private images that are extended to the platform, or deploy crypto miners. 

Not only this but a sophisticated adversary would examine detection tools that are protecting ACI as it will help to avoid getting caught.

How to secure ACI?

Apart from this, cybersecurity analysts have suggested some points that will help the users to keep the ACI secure.

They recommend withdrawing any privileged credentials that were extended to the platform before August 31st, 2021.

There are some common areas to define configuration and codes for container groups and that includes the following things:-

  • Environment Variables
  • Secret Volumes
  • Azure file share
  • Consult these security best methods resources 
  • Azure Container Instances Security Baseline 
  • Azure Container Instances Security Considerations 
  • Always keep urself updated regarding security-related notifications like this one by configuring Azure Service Health Alerts. 

This kind of malware is quite dangerous in nature, and it puts a huge impact on the users, so, Azurescape is proof that it can put a lot of effect on the users.

Therefore all the Cloud providers spend massively in ensuring their platforms, but it’s also true that the unknown zero-day vulnerabilities would exist and put clients in danger.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Leave a Reply