Intezer researchers discovered a new vulnerability in Azure Functions, which would allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host.
Azure Functions is a serverless compute service that allows users to run code without having to provision or manage infrastructure. Azure Functions is Microsoft’s equivalent to Amazon Web Services’ well-known Lambda service, says Intezer.
After an internal assessment Microsoft has determined that the vulnerability has no security impact on Function users as the Docker host itself is protected by a Hyper-V boundary. They have made the changes to block /etc and the /sys directories based on Intezer's findings since this change has already been deployed.
"Instances like this underscore that vulnerabilities are sometimes out of the cloud user’s control. Attackers can find a way inside through vulnerable third-party software. While you should focus on reducing the attack surface as much as possible, you also need to prioritize the runtime environment to make sure you don’t have any malicious code lurking in your systems," says Intezer.
Jigar Shah, Vice President at Valtix, says, "As enterprises adopt new approaches, like serverless and micro-services architecture, simply relying on the underlying security of these services or those from the cloud provider is just asking for trouble. The old mantra of reducing the attack surface and defense in depth is still crucial: use attribute-based access control, and apply URL filtering for all outbound flows. Network Security 101 does not disappear because we moved to public clouds.”
For more of Intezer's findings, please visit https://www.intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/