October 20, 2022

Microsoft has patched a vulnerability in Azure Service Fabric Explorer (SFX) in its Patch Tuesday updates. The flaw, tracked as CVE-2022-35829, has a severity rating of 6.2 and could allow attackers to gain administrator privileges.

SFX is an open-source tool for inspecting and managing Azure Service Fabric Clusters, a distributed system platform for building and deploying cloud applications based on microservices.

The bug in question allows a user with privileges to “Create Compose Application via the SFX client and use privileges to create a rogue app and misuse a stored cross-site scripting (XSS) vulnerability in the “Application name” field to slip the payload.

The flaw therefore allows a threat actor to send the specially crafted input during the application process, which ultimately leads to its execution.

“This includes performing a Cluster Node reset, which erases all customized settings such as passwords and security configurations, allowing an attacker to create new passwords and gain full administrator privileges,” said Orca Security researchers Lidor Ben Shitrit and Roee Sagi.

The vulnerability was discovered and reported by Orca Security on August 11, 2022. Dubbed the vulnerability FabriXss (pronounced “fabrics”), the flaw impacts Azure Fabric Explorer version 8.1.316 and older.

The sources for this piece include an article in TheHackerNews.