Pierluigi Paganini September 10, 2021

Microsoft has fixed the Azurescape issue, a flaw in Azure Container Instances that allows to take over containers of other platform users.

Microsoft has addressed a vulnerability in Azure Container Instances (ACI) called Azurescape that could have allowed a malicious container to take over containers belonging to other users.

An attacker could exploit the vulnerability to execute commands in the containers of other users and access to their data. The vulnerability was discovered by researchers from Palo Alto Networks that recently published technical details of the issue.

Microsoft sent Service Health Notification to customers potentially impacted by Azurescape to change privileged credentials for containers deployed to the platform before August 31, however the IT giant is not aware of attacks in the wild exploiting the flaw.

“Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI) that could potentially allow a user to access other customers’ information in the ACI service. Our investigation surfaced no unauthorized access to customer data.” reads the advisory published by Microsoft. “Out of an abundance of caution we notified customers with containers running on the same clusters as the researchers via Service Health Notifications in the Azure Portal. If you did not receive a notification, no action is required with respect to this vulnerability.“

Azure Container Instances is a solution for any scenario that can operate in isolated containers, without orchestration. Run event-driven applications, quickly deploy from your container development pipelines, and run data processing and build jobs.

Palo Alto researchers discovered that ACI use RunC, a lightweight, portable container runtime. The version used by the ACI is v1.0.0-rc2, it was released in 2016, and was affected by at least two container escape issues.

“Back in 2019, we analyzed one of these vulnerabilities, CVE-2019-5736. Our blog post, “Breaking out of Docker via runC – Explaining CVE-2019-5736,” shared our analysis and a proof-of-concept (PoC) exploit for it.” reported PaloAlto Networks. “Once we discovered the presence of this old version of runC in ACI, we took the PoC container image developed then, polished it and deployed it to ACI. We successfully broke out of our container and gained a reverse shell running as root on the underlying host, which turned out to be a Kubernetes node.”

Palo Alto Networks researchers published a video PoC to show how an attacker could escape the container to get administrator privileges for the entire cluster.

Microsoft provided the following recommendations to secure ACI:

• As a precautionary measure, if you were notified, we recommend revoking any privileged credentials that were deployed to the platform before August 31^st, 2021. Common places to specify configuration and secrets for container groups include:
  • Environment Variables
  • Secret Volumes
  • Azure file share
• Consult these security best practices resources 
  • Azure Container Instances Security Baseline 
  • Azure Container Instances Security Considerations 
• As part of standard security practices, you should revoke privileged credentials on a frequent basis.
• Stay up to date on important security-related notifications like this one by configuring Azure Service Health Alerts.  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Azurescape)

[adrotate banner=”5″]

[adrotate banner=”13″]