Azure Container Services – Vulnerability fixed by Microsoft

Back in July, security researchers from Palo Alto networks reached out to Microsoft with a potential vulnerability that affected the Azure Container instance service. The vulnerability allowed Azure container instance services’ customer to allow another customer’s data running on the ACI. In other words, users on the ACI environment were able to access other users’ data without any problems. In normal scenario, this should not happen. And, the vulnerability can be called as the one of type ‘Information disclosure’.

It seems like the ACI services did not enforce resource level security once the customer has authenticated as an ACI or Azure Container user. Anyone with privileged credentials on the Azure Container Instance environment could access anyone else’s data running on the leveraged container host.

It is unclear as to whether any user data was compromised on account of this vulnerability. While no CVE details have been reported, we understand that Microsoft has fixed the vulnerability as per the security note on this link – https://msrc-blog.microsoft.com/2021/09/08/coordinated-disclosure-of-vulnerability-in-azure-container-instances-service/.

From whatever data is available, it appears that the likely affected customers were sent a Service Health notification alert through the Azure portal. For customers who remained unaffected with this vulnerability, there would be no such alert and they can sleep easy.

Whether you are affected or not, if you use Microsoft’s Azure Container instance, it would be wise to conduct an audit of all the privileged credentials on the ACI. Revoking these credentials and creating new ones would be the right fix for this vulnerability.

Besides this, do make sure you have the ACI running on a separate network subnet and is protected through a firewall. Do monitor the service logs for any unusual activity on the network side or on the application side of the container instance.

For now, it appears that this vulnerability has not had any noted or recorded instance of being exploited. And, since it is patched already on the container services’ environment, we can look forward to running the application on ACI containers without any hassles of data disclosure.