A new vulnerability has been discovered in Microsoft’s Azure Support Material Explorer (SFX) that would enable unauthenticated, distant risk actors to execute code on a container hosted on a Support Fabric node.
Dubbed Super FabriXss by the Orca Security group, the cross-website scripting (XSS) flaw (CVE-2023-23383) has a CVSS rating of 8.2 and affects SFX edition 9.1.1436.9590 or before.
“The vulnerability arises from a susceptible ‘Node Name’ parameter, which can be exploited to embed an iframe in the user’s context,” wrote Orca security researcher Lidor Ben Shitrit in a Thursday advisory.
The iframe (an HTML aspect built to embed web written content in just web sites) then retrieves remote files from an attacker-managed server, top to the execution of a destructive PowerShell reverse shell.
“This attack chain can in the end final result in distant code execution on the container which is deployed to the cluster, most likely enabling an attacker to take control of critical methods,” Shitrit added.
The Orca Security group verified it described the vulnerability on December 20 2022 to the Microsoft Security Response Center (MSRC), which investigated the issue and released a fix as section of its March 2023 Patch Tuesday.
Go through a lot more on the most recent Patch Tuesday listed here: Microsoft Patches Two Zero Days This Thirty day period
In accordance to Shitrit, this is the 2nd XSS vulnerability that Orca has uncovered in Azure Services Material Explorer. But, though the initial one particular (referred to as FabriXss) impacted both equally Linux and Windows Clusters, the SuperFabriXxs flaw only exists in the Windows Cluster. However, Shitrit warned the new vulnerability is significantly more hazardous than the past a single learned by the crew.
“With Super FabriXss, a remote unauthenticated attacker can execute code on a container hosted on one of the Provider Fabric nodes,” reads the advisory. “An attacker could most likely acquire manage of critical systems and cause important harm.”
Orca Security has established a proof of idea for the Super FabriXss Vulnerability, which is described in depth in the the team’s technical create-up.
Some parts of this article are sourced from:
www.infosecurity-magazine.com