Microsoft fixes rare Azure bug leveraging containers
This was the first ever potential attack to use container escape to control other users' accounts
Microsoft has plugged a flaw in its Azure Container Instances (ACI) service that could have allowed a malicious actor to access customers' information.
Researchers at Palo Alto Networks first reported the flaw, the Microsoft Security Response Center (MSRC) said in a blog post, but an investigation found no evidence to suggest that attackers abused the technique to access customer data.
The company has, however, notified some customers whose accounts were accessed by Palo Alto as part of its research activities.
Those customers have been advised to change their login credentials as a precaution.
'Out of an abundance of caution, we notified customers with containers running on the same clusters as the researchers via Service Health Notifications in the Azure Portal. If you did not receive a notification, no action is required with respect to this vulnerability,' Microsoft said.
ACI is a serverless container environment that allows users to run applications in containers on Azure, through virtual machines that are managed by Microsoft.
Palo Alto researcher Ariel Zelivansky told Reuters that it took several months for his research team to demonstrate the potential dangers of the Azure bug.
He said the flaw existed because of a code snippet that had not been updated to patch a previously known bug.
Palo Alto researchers were able to leverage the bug to gain full control of a cluster, though Zelivansky said it was highly unlikely that malicious actors would use a similar method in the real world.
Container security expert Ian Coldwater told Reuters, "This was the first attack on a cloud provider to use container escape to control other accounts".
Coldwater, who reviewed Palo Alto's research at Reuters' request, noted that cloud architectures are generally safe for customers, as cloud providers are able to make fixes themselves, rather than relying on customers to apply updates.
But he added that cloud attacks by state-backed threat groups are "a valid concern".
The details of the Azure container bug comes about a month after a security researcher claimed that a flaw in Microsoft's newly announced Window 365 Cloud PC service could enable malicious actors to extract users' Azure credentials in unencrypted plain text.
Microsoft announced general availability of Windows 365 Cloud PC - an always-on PC accessible from any device with an internet connection and web browser - on 2nd August.
A few days later, security researcher Benjamin Delpy said he used the open-source Mimikatz software to take advantage of the previously-disclosed PrintNightmare bug to extract Azure credentials from Windows 365 in plaintext.
Delpy said he would normally recommend using security features such as two-factor authentication (2FA), Windows Hello, smart cards and Windows Defender Remote Credential Guard to protect credentials. However, these features are not yet available in Windows 365.