'Azurescape': New Azure vulnerability fixed by Microsoft

A newly disclosed vulnerability in Azure Container Instances could have enabled threat actors to execute code on other users' containers. Microsoft said Wednesday that the vulnerability has been fixed and no further action is needed.

The flaw was reported by Palo Alto Networks, who named the vulnerability "Azurescape" and published a blog Thursday shortly after Microsoft's Wednesday night advisory. At the center is Azure Container Instances (ACI), a service that allows an Azure developer to deploy containers without the need for orchestration.

Microsoft's post on the bug was light on details, saying only that the vulnerability "could potentially allow a user to access other customers' information in the ACI service," and had little more regarding technical specifics. The post also said that Microsoft found no evidence of unauthorized customer access, that the vulnerability was fixed, and that it notified Azure customers "with containers running on the same clusters as the researchers via Service Health Notifications in the Azure Portal."

Customers who received the notification are advised to revoke privileged credentials deployed before Aug. 31. Microsoft said no action is needed for those who didn't get the notification.

More technical details can be found in Palo Alto Networks' post. Principal security researcher and post author Yuval Avrahami called Azurescape "the first cross-account container takeover in the public cloud."

"Azurescape allowed malicious users to compromise the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers," Avrahami wrote, though he also said that Unit 42, Palo Alto's threat intelligence team, has seen no evidence of exploitation.

A malicious user, according to the post, could exploit the vulnerability to execute code on the containers of other Azure users, as well as "steal customer secrets and images deployed to the platform, and possibly abuse ACI's infrastructure for cryptomining."

A Palo Alto Networks spokesperson told SearchSecurity, "There's no system for providing CVEs for cloud vulnerabilities that are mitigated by the vendor."

SearchSecurity asked Microsoft whether it received any reports of exploitation; Microsoft declined to provide a response. Instead, a company spokesperson provided the following statement: "We are thankful to the researcher for responsibly disclosing so we could address the issue and protect customers."

Azurescape marks the second notable Azure vulnerability disclosed in recent weeks. In late August, a flaw dubbed "ChaosDB" enabled two security researchers at Wiz to gain unrestricted access to the databases and accounts of several thousand Azure customers via Cosmos DB.

Alexander Culafi is a writer, journalist and podcaster based in Boston.