Vulnerability in Azure Functions

Paul Litvak, a cybersecurity researcher, has revealed an unresolved vulnerability in Microsoft Azure functions. A hacker would expanse their privileges by exploiting this vulnerability and can escape the Docker container. These observations were revealed as part of Intezer Lab's investigations about Azure infrastructure.

Microsoft responded to the disclosure as "determined that the vulnerability has no security impact on Function users since the host itself is still protected by another defense boundary against the elevated position we reached in the container host."

Azure Functions is similar to Amazon AWS and helps the user to execute event-triggered code. The user doesn't need to have the provision for managing infrastructure explicitly.

The developer could easily run Azure Function in the cloud or on-premises with the help of Docker. A trigger code calls out the azure Function. Since HTTP request is a trigger code researcher created one. This was done to gain control over Function container so that sockets corresponded to a process with root privilege can be found out.

Following this, a flaw that the attacker could exploit is identified in one of the Mesh binary processes. From there, one such privileged process associated with a "Mesh" binary was identified to contain a flaw that could be exploited to grant the "app" user that runs the above Function root permissions.

Intezer researchers have received references for the Mesh binary in a public docker image. And this can be used to achieve the increased privilege.

The privileged flag is used to escape the Docker container to execute random commands on the host thereby. This is what happens in the last stage. Intezer has published a proof of concept exploit code on GitHub.

"Instances like this underscore that vulnerabilities are sometimes out of the cloud user's control. Attackers can find a way inside through vulnerable third-party software. "- researchers said.

"It's critical that you have protection measures in place to detect and terminate when the attacker executes unauthorized code in your production environment. Microsoft even echoes this Zero Trust mentality."

In the final step, the extended privileges assigned to the container (using the "--privileged" flag) were abused to escape the Docker container and run an arbitrary command on the host.

Intezer has also released a proof-of-concept (PoC) exploit code on GitHub to probe the Docker host environment.

"Instances like this underscore that vulnerabilities are sometimes out of the cloud user's control," Intezer Labs researchers said. "Attackers can find a way inside through vulnerable third-party software.

"It's critical that you have protection measures in place to detect and terminate when the attacker executes unauthorized code in your production environment. Microsoft even echoes this Zero Trust mentality."