A newly discovered Azure Functions vulnerability lets an attacker escalate privileges and escape the Azure Functions Docker to the Docker host.
After an internal assessment, Microsoft determined that the vulnerability has no security impact on Azure Functions users because the Docker host itself gets protected by a Microsoft Hyper-V boundary, according to researchers from Intezer who discovered the flaw. Based on their findings, Microsoft has since made changes to block/etc and the /sys directories.
Azure Functions, essentially the Microsoft equivalent to Amazon Web Services' Lambda service, operates as a serverless compute service that lets users run code without having to provision or manage infrastructure.
A video demonstration of the vulnerability included in Intezer's blog mimics an attacker executing on Azure Functions and escalating privileges to achieve a full escape to the Docker host. The video and accompanying research follow-up on other Intezer reports in the past several months that identified vulnerabilities in Microsoft Azure Network Watcher and Azure App Services.
The latest flaw underscores that vulnerabilities are sometimes out of the cloud user’s control with attackers able to find a way inside through vulnerable third-party software. Reducing the attack surface is critical, but organizations must prioritize the runtime environment to ensure malicious code isn't lurking in their systems.
As enterprises adopt new approaches like serverless and micro-services architecture, said Jigar Shah, vice president at Valtix, they are asking for trouble by relying just on the underlying security of these services or those from the cloud provider.
“The old mantra of reducing the attack surface and defense-in-depth is still crucial,” Shah said. “Use attribute-based access control, and apply URL filtering for all outbound flows. Network Security 101 does not disappear because we moved to public clouds.”