Details have emerged about a currently patched vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.
This issue, tracked as CVE-2023-23383 (CVSS score: 8.2), was dubbed “Super FabriXss” by Orca Security after the defect in FabriXss fixed by Microsoft (CVE-2022-35829, CVSS score: 6.2). named. October 2022.
“The Super FabriXss vulnerability allows remote attackers to exploit XSS vulnerabilities to remotely execute code in containers hosted on Service Fabric nodes without the need for authentication,” says a security researcher. author Lidor Ben Shitrit said in a report shared with The Hacker News.
XSS is a type of client-side code injection attack that allows malicious scripts to be uploaded to trusted websites. The script is then executed every time the victim visits the compromised website, leading to unintended consequences.
Both FabriXss and Super FabriXss are XSS flaws, but Super FabriXss has more serious implications in that it can be weaponized to execute code and take control of a susceptible system. .
Associated with each node in the cluster from the user interface[イベント]The Super FabriXss in the tab is also a reflected XSS flaw. This means the script is embedded in the link and only triggered when the link is clicked.
“This attack is based on the Service Fabric platform.[Events]in the tab[Cluster Type Toggle]Option to allow an attacker to overwrite an existing Compose deployment by triggering an upgrade with a specially crafted URL from an XSS vulnerability,” explains Ben Shitrit.
“By controlling a legitimate application in this way, attackers can use it as a platform to launch further attacks or gain access to sensitive data and resources.”
According to Orca, this vulnerability affects Azure Service Fabric Explorer versions 9.1.1436.9590 and earlier. Microsoft has since addressed it as part of his March 2023 Patch Monthly update, with the tech giant describing it as a spoofing vulnerability.
“While the vulnerability resides in the web client, malicious scripts executed in the victim’s browser translate into actions executed in the (remote) cluster,” Microsoft said in the advisory. “The victim user would have to click on her saved XSS payload that was injected by the attacker.”
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Don’t miss it – secure your seat!
The disclosure follows NetSPI’s disclosure of a privilege escalation flaw in Azure Function Apps that allows users with “read-only” privileges to access sensitive information and execute commands.
It also follows the discovery of an Azure Active Directory misconfiguration that exposed numerous applications to unauthorized access, including the content management system (CMS) that powers Bing.com.
Wiz, a cloud security company codenamed BingBang for the attack, could be weaponized to falsify Bing search results or, worse, perform XSS attacks against users. said.
