Technical Details for FabricScape CVE Proof of Concept

On June 28, 2022, Palo Alto Unit 42 researchers reported technical details and a proof of concept (PoC) exploit code for CVE-2022-30137, which they have designated FabricScape.
Technical Details for FabricScape CVE Proof of Concept

Context

On June 28, 2022, Palo Alto Unit 42 researchers reported technical details and a proof of concept (PoC) exploit code for CVE-2022-30137, which they have designated FabricScape. CVE-2022-30137 is rated at 6.7 or medium severity, and affects Microsoft Service Fabric. Service Fabric is commonly used with Azure and hosts over one million applications daily. Microsoft released a patch on June 14, 2022, after working closely with Unit 42 researchers to mitigate FabricScape.

Technical Details

The vulnerability reportedly allows attackers to escalate privileges in Linux containers, gain root privileges on the node, and compromise all nodes in a cluster. Attackers could exploit the vulnerability on containers with runtime access, which is the default configuration.

Unit 42 researchers investigated Data Collection Agent (DCA) source code and discovered a potential race-conditioned arbitrary write in the GetIndex function, which reads files, checks content format, and modifies and overwrites content. This causes a symlink race, which allows attackers to place malicious content in the read file on the compromised container.

To exploit CVE-2022-30137, attackers must trigger DCA to run the vulnerable function on a controlled file. DCA will execute the function that runs GetIndex many times in log directory paths. This will defeat the race condition and allow attackers to overwrite any file on the node in a Linux container.

To execute code, attackers must first abuse the LD_PRELOAD environment variable to hijack the dynamic linker. Attackers then need to write a false shared object with a function to initiate a reverse shell and add a construction attribute so the shared objects automatically initiates reverse shell when loaded. After this exploitation, attackers can gain root access to the node, explore the file system and certificates. Attackers can then apply compromised certificates to authenticate to any API endpoint and trigger functionalities in the cluster.

Impact Analysis

CVE-2022-30137 is rated at medium severity. It requires significant technical skill to successfully exploit, which decreases the likelihood of a compromise for a given organization, but if exploited, the level of access granted to attackers has a high potential severity. As such, RH-ISAC members using Service Fabric are encouraged to implement all mitigations released by Microsoft.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.