Microsoft warns of vulnerability that allowed access to Azure infrastructure
A set of vulnerabilities in the Azure Container Instances (ACI) platform could have allowed users to escape their particular instance and gain control of the container-as-a-service (CaaS) infrastructure, Palo Alto Networks researchers reported on September 9.
The attack exploited a two-year-old vulnerability in a component of container infrastructure that is used to create new containers and run them. Exploiting the vulnerability allowed Palo Alto Networks’ vulnerability researchers to escape from Azure’s multi-tenant public cloud environment and gain control of the Kubernetes management system.
This is the first time that a complete takeover of a public cloud system has been demonstrated, says Ariel Zelivansky, leader of Palo Alto Networks’ Unit 42 cloud research team.
“What we found is a vulnerability that escalates privileges to a cluster administrator which gives you access to anything you want in Kubernetes,” he says. “It is essentially the Holy Grail of cloud security attacks.”
The vulnerabilities, which Palo Alto Networks dubbed “Azurescape,” were patched by Microsoft in late August after being notified by the security firm. Microsoft issued notifications to customers whose containers resided in the same clusters as the researchers’ cloud infrastructure, the company stated in an advisory.
To read the complete article, visit Dark Reading.