AL2021_25 Microsoft Warns of Cross-Account Takeover Bug in Azure Container Instances (10th September 2021)

Microsoft on Wednesday stated that they would have remedied a vulnerability in its Azure Container Instances (ACI) services which may have been exploited by a malicious actor. This vulnerability is known to be the first cross-account container takeover in the public cloud.

Summary

An attacker can exploit the vulnerability observed in the Azure Container instances by executing malicious instructions on other user’s containers or steal customers secrets and images installed on the platform.

How it works

ACI is a supervised service that gives users the ability to run Docker Containers directly in a serverless cloud environment, without requiring the usage of virtual machines, clusters, or orchestrators.

A research group by the name of Palo Alto Networks Unit 42, intelligence team observed how an attacker can leverage the “cross-tenant technique” to evade their rogue ACI container, and surge privileges over a multitenant Kubernetes cluster to get hold of control on impacted containers by executing a malicious code.

Palo Alto research group also noted, that “breaking out of the container” was made possible due to an outdated container runtime used in ACI, therefore making it susceptible to exploit CVE-2019-5736, to evade the container and get code execution with elevated privileges on the underlying host.

Remediation

While no current patch is available, users are advised to follow recommended best practices such as:

take a defence-in-depth approach to secure their cloud infrastructure, which includes continuous monitoring for threats, inside and outside the cloud platform.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Microsoft Warns of Cross Account Takeover Bug in Azure Container Instances.pdf

References