Microsoft has revealed that it has fixed a bug in its Azure Container Instances (ACI) service that may have allowed a user to access other customers’ information in the ACI.
ACI lets customers run applications in containers on Azure using virtual machines that are managed by Microsoft rather than managing their own.
Researchers from Palo Alto Networks reported the security bug to Microsoft, which recently addressed the issue.
SEE: The CIO’s new challenge: Making the case for the next big thing
Microsoft said in a blogpost there was no indication any customer information was accessed due to the vulnerability — both in the cluster the researchers were using or in other clusters.
“Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI) that could potentially allow a user to access other customers’ information in the ACI service. Our investigation surfaced no unauthorized access to customer data,” it said.
Nonetheless, it has told customers who received a notification from it via the Azure Portal to revoke any privileged credentials that were deployed to the platform before August 31, 2021.
Ariel Zelivansky, researcher at Palo Alto, told Reuters his team used a known vulnerability to escape Azure’s system for containers. Since it was not yet patched in Azure, this allowed them to gain full control of a cluster. Palo Alto reported the container escape to Microsoft in July.
Even without vulnerabilities, containerized applications, which are often hosted on cloud infrastructure, can be difficult to shield from attackers. The NSA and CISA recently issued guidance for organizations to harden containerized applications because their underlying infrastructure can be incredibly complex.
SEE: Open source matters, and it’s about more than just free software
Microsoft noted that among other things admins should revoke privileged credentials on a regular basis.
Microsoft disclosed a separate Azure vulnerability two weeks ago affecting customers running NoSQL databases on Azure, which provides the Cosmos DB managed NoSQL DB service. A critical flaw, dubbed ChaosDB, allowed an attacker to read, modify or delete databases.