Presentation Material
Abstract
The presentation will explore Use-After-Free vulnerability and novel RCU techniques found in the Netfilter module of kernel 5.10.102.2-microsoft-standard and prior versions of 6.9, that Azure Cloud Shell runs on. Upon successful exploitation of kernel vulnerabilities, an attacker can gain elevated privileges to their own Cloudshell environment, potentially leading to container escape within user’s session and elevated access to user’s cloud resources.Azure Cloudshell runs on non-shared kernel using isolated hypervisor VM. Due to the single-tenant hypervisor security boundary, accessing the host within the container VM does not lead to cross-tenant access, but grants access within the user’s session.
The talk covers technical aspects of the vulnerability root cause, including exploitation techniques to gain elevated privileges in the user’s own Cloudshell environment. The session will examine broader implications of such vulnerabilities and their mitigations in multi-tenant cloud infrastructures. Finally, a demo will be showcased as proof of concept.
This vulnerability was disclosed responsibly to Microsoft and has been mitigated. This talk emphasizes the importance of securing kernel modules and demonstrates how proactive research can uncover and address critical risks in widely used cloud platforms. Attendees will gain valuable insights into cloud security, kernel exploitation, and the significance of vulnerability research.
AI Generated Summary
The talk focused on the security of Azure Cloud Shell, a browser-accessible terminal for managing Azure resources. The researchers discovered two vulnerabilities: an Open vSwitch integer manipulation vulnerability, which allowed for privilege escalation, and an NFTables use-after-free vulnerability, which granted unauthorized access and control. They analyzed the root cause of these flaws, specifically improper reference counting in the NFTables API, and demonstrated how these vulnerabilities could be exploited to gain root access.
The researchers presented a detailed explanation of the exploit chain, including the initialization of the NFTables transaction, the allocation of memory, and the deactivation of the reference count. They also showed how the vulnerabilities could be used to leak sensitive data and bypass security controls.
The talk highlighted the importance of container security and the potential for container escapes, even with isolation layers like NSJail and Hyper-V. The researchers emphasized that security is a team effort and that configurations, such as default root access, can have significant implications.
Microsoft has since fixed the vulnerabilities, releasing an updated kernel version and implementing additional security controls, such as restricting container escapes and ensuring that user sessions do not compromise other sessions. The researchers concluded by emphasizing the need for ongoing research and vigilance in container security and the importance of responsible disclosure and collaboration with vendors to address vulnerabilities.