Experts mention that these containers run under the privileged Docker flag, so device files in the /dev directory can be shared between the Docker host and the container guest: “The failure exists because these device files have read and write permissions for other users,” the report notes.
The report adds that lax permissions on device files are not standard behavior. This condition becomes problematic because the Azure Functions environment contains 52 different partitions with file systems, which can be visible to all users.
“These partitions appeared to belong to other Azure Functions clients, although additional reports suggest that these partitions were only ordinary file systems used by the same operating system, including the Docker pmem0 host file system. Risk occurs when threat actors access the victims’ environment, a user with reduced privileges, for example.”
Experts found that by using the Debugfs utility, un privileged users can easily traverse the Azure Functions file system, as well as be able to edit any file on this resource.
Researchers found a way to avoid this limitation by making direct changes to the files: “We created a physical link through Debugfs in our container’s diff directory so that the changes would be irraded to our container,” the report notes. “This physical link still requires root permissions to edit, so this method also requires the use of zap_block to edit its content. The following is posix_fadvise to tell the kernel which read cache pages should be discarded to propagate through the Docker host file.”
Debugfs also supports a write mode for users to make changes to the underlying disk: “It’s important to note that writing to a mounted disk is usually a bad idea, as it can cause disk corruption.” With the ability to edit arbitrary files belonging to the Docker host, an attacker can make changes to the /etc/ld.so.preload file, which would allow an attack to propagate malicious objects shared through the container’s differences directory in addition to the ability to run remote code in the container.
So far Microsoft has not spoken about it. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.