Head Topics

Microsoft Azure Service Fabric exploit published

Danmark Nyheder Nyheder

Microsoft Azure Service Fabric exploit published
Danmark Seneste Nyt,Danmark Overskrifter
  • 📰 TheRegister
  • ⏱ Reading Time:
  • 64 sec. here
  • 3 min. at publisher
  • 📊 Quality Score:
  • News: 29%
  • Publisher: 61%

Tear in Microsoft Azure Service Fabric can give attackers full admin privileges

FabriXss could allow miscreants to perform a cluster node reset, thus erasing all customized settings including passwords and security configurations. Then they could create new passwords and gain full admin permissions.

"The size of the threat depends on the number of clusters set up within user organizations and if those have non-admin users that use the CreateComposeApplication role to create applications and the vulnerable SFXv1," Shitrit toldExploiting this bug starts with executing expressions via Client Side Template Injection , the Orca team explained.In order to break out of CSTI to XSS, we will need to see exactly how the application name is created and formatted.

Service Fabric Explorer is shared, and by default there are two permissions levels: read only and admin. However, as the Orca researchers explained,"there is an option to modify the read only client permissions to create a custom user which is not an administrator but still able to perform specific tasks."

They were able to abuse the stored XSS by creating a custom client user – a deployer user – and then creating a malicious app to send the payload. "We found that a Deployer type user with a single permission to 'Create new Applications' via the dashboard, can use this single permission to create a malicious application name and abuse the administrator permissions to perform various calls and actions," the researchers wrote. ®

Vi har opsummeret denne nyhed, så du kan læse den hurtigt. Hvis du er interesseret i nyheden, kan du læse hele teksten her. Læs mere:

TheRegister /  🏆 67. in UK

Danmark Seneste Nyt, Danmark Overskrifter

Similar News:Du kan også læse nyheder, der ligner denne, som vi har indsamlet fra andre nyhedskilder.

COD may not appear on Game Pass ‘for a number of years’ due to a prior Activision-Sony deal | VGCCOD may not appear on Game Pass ‘for a number of years’ due to a prior Activision-Sony deal | VGCCall of Duty may not appear on Game Pass for a 'number of years' following Microsoft's acquisition of Activision Blizzard, due to a prior agreement with Sony.
Læs mere »

Health insurance companies overpay for some hospital radiology servicesHealth insurance companies overpay for some hospital radiology servicesHealth insurance companies may be overpaying for common radiology services, according to a study published in Radiology.
Læs mere »

October’s remaining Xbox Game Pass titles have been announced, including Persona 5 Royal | VGCOctober’s remaining Xbox Game Pass titles have been announced, including Persona 5 Royal | VGCThe remaining Xbox Game Pass titles for October have been confirmed, including Persona 5 Royal.
Læs mere »

Anti-abortion group Precious Life to pay damages in libel caseAnti-abortion group Precious Life to pay damages in libel caseAnti-abortion group Precious Life has been ordered to pay a 'five-figure sum' in damages to a businesswoman over a libellous tweet.
Læs mere »



Render Time: 2025-04-07 20:51:02