A vulnerability in Azure Service Fabric Explorer (SFX) was recently patched.
CVE-2023-23383: Discovery and Technical Overview
Security firm Orca discovered a serious security flaw in Azure Service Fabric Explorer that could be taken advantage of by sending a constructed URL to any Azure Service Fabric user. The vulnerability was caused by a vulnerable ‘Node Name’ parameter, which could be used to embed an iframe in the user’s environment.
This iframe then fetches remote files from a server that is managed by the attacker, resulting in the activation of a malicious PowerShell reverse shell. This attack sequence can eventually lead to remote code execution on the container that is deployed to the cluster, potentially allowing the attacker to gain control of vital systems.
The vulnerability, known as “Super FabriXss” (CVE-2023-23383 with a CVSS score of 8.2), is an upgrade of a previously patched FabriXss flaw – CVE-2022-35829, CVSS score 6.2.
According to Orca security researcher Lidor Ben Shitrit, this vulnerability allows attackers to execute code remotely on a Service Fabric node without the need for authentication. This is possible due to an XSS injection attack, in which malicious code is uploaded to a seemingly trusted website, and then executed each time a user visits.
While both FabriXss and Super FabriXss involve XSS, Super FabriXss has more serious implications as it can be weaponized to gain control of affected systems.
In March 2023, Orca Security discovered a dangerous Cross-Site Scripting (XSS) vulnerability, referred to as Super FabriXss (CVE-2023-23383), within Azure Service Fabric Explorer (SFX). This vulnerability enabled unauthenticated remote attackers to execute code on a container hosted on a Service Fabric node.
Once notified, Microsoft Security Response Center (MSRC) investigated the issue and assigned it CVE-2023-23383 (CVSS 8.2) with ‘Important’ severity. Microsoft released a fix and included it in their March 2023 Patch Tuesday, thus allowing users to protect themselves against this vulnerability.