Summary
In Azure Serverless Functions, a new container is generated by the host for every function,
which is then terminated and deleted after several minutes. Palo Alto discovered that an
API call was available to bind one path to another within the container (called "init_server_pkg_mount_BindMount")
that could be called by a low-privileged user but executed with root privileges. This could
enable a malicious tenant to escalate their privileges to root, and then escape their container
by abusing the Linux cgroup v1 “notification on release” feature (a well-known escape to host technique).
This last step was possible because the container had been granted the SYS_ADMIN capability,
did not have an AppArmor profile, and the cgroup v1 virtual filesystem was mounted as
read-writable from within the container (all against container hardening best practice).
However, the underlying HyperV host was single-tenant, thereby limiting the blast radius
of this vulnerability chain. Following disclosure, Azure added additional validation for
bind mount APIs, but the other elements of this attack sequence remain exploitable.
Affected Services
Azure Serverless Functions
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
Thu, Dec 15th, 2022
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Aviv Sasson, Daniel Prizmant, Palo Alto
