Azure Cloud Shell and Azure Container Instances Container Breakout
yuvalavra opened this issue · 0 comments
yuvalavra commented
Azure: Container Breakout in Azure Cloud Shell and Azure Container Instances
- Summary: Azure failed to restrict customers' containers on ACS and ACI from accessing services on the underlying node, allowing for container breakout via the Kubelet API which allowed anonymous access. The researcher could see other customers' containers running on neighboring Kubernetes nodes, but decided to stop and report to MSRC. Though cross-account access wasn't demonstrated, the high bounty (30,000$) indicates MSRC considered the issue to be severe. It should be noted that compromising another customer's Cloud Shell instance is an absolutely devastating attack resulting in a full takeover of the victim's Azure account.
- Platform: Azure
- Severity: High or Critical, up to you
- Date: January 20, 2020
- Discoverer: Chen Cohen
- Customer action: N/A
- References: