New information has been revealed regarding a previously fixed issue in Azure Service Fabric Explorer (SFX), which had the potential to result in remote code execution by unauthorized parties.
The problem, named Super FabriXss by Orca Security, has been assigned the CVE identifier 2023-23383 with a CVSS score of 8.2. This name is in reference to another vulnerability, FabriXss flaw, which was previously resolved by Microsoft in October of 2022 and had a lower CVSS score of 6.2.
According to a report shared with The Hacker News by security researcher Lidor Ben Shitrit, the Super FabriXss vulnerability can be exploited by remote attackers to carry out remote code execution on a container hosted on a Service Fabric node without requiring authentication. This is possible by making use of an XSS vulnerability.
XSS denotes a type of attack where harmful code is inserted into reliable websites through the client-side, allowing for malicious scripts to be executed whenever someone visits the compromised website. This ultimately results in unforeseen repercussions for the victim.
Both FabriXss and Super FabriXss are XSS vulnerabilities, but Super FabriXss poses a greater threat as it has the potential to be used maliciously to run code and take over vulnerable systems.
The Super FabriXss flaw is found in the Events tab of each node in the cluster as part of the user interface. It is a type of XSS vulnerability where the script is hidden within a link and is only activated when the link is clicked.
According to Ben Shitrit, an XSS vulnerability can be utilized by malicious actors to exploit the Cluster Type Toggle options within the Service Fabric platform's Events Tab. This can enable them to overwrite an existing Compose deployment by initiating an upgrade using a customized URL.
If an attacker gains control of a valid application in this manner, they can use it as a foundation to initiate more attacks or acquire confidential information or resources.
According to Orca, there is a problem with Azure Service Fabric Explorer version 9.1.1436.9590 or earlier. This problem has now been fixed by Microsoft as part of the March 2023 Patch Tuesday update, which described it as a vulnerability related to fooling or deceiving users.
Microsoft has announced that a weakness has been identified in the web client, and if an attacker injects harmful scripts into a victim's browser, those scripts will execute actions on a remote cluster. For the victim to be affected, they would need to click on the stored XSS payload delivered by the attacker.
NetSPI's announcement uncovered a security vulnerability in Azure Function Apps, which allows individuals with restricted access to obtain sensitive data and acquire control privileges.
Additionally, this revelation was due to the identification of a misconfiguration within Azure Active Directory which made several applications, including the content management system (CMS) that drives Bing.com, susceptible to unapproved entry.
The BingBang attack, which was given the code name by cloud security company Wiz, has the potential to be used as a tool to manipulate search results on Bing. The attack may also have the ability to launch XSS attacks on individuals using Bing, which would be an even more severe threat.