A significant security flaw has been identified in AZNFS-mount, an Azure utility integral to mounting Azure Storage Account NFS endpoints. This vulnerability enables attackers to escalate their privileges from an unprivileged user to root on Linux systems. The issue affects all versions up to 2.0.10 of the utility, which is preinstalled on Azure High-Performance Computing (HPC) and Artificial Intelligence (AI) images.
Understanding AZNFS-mount and Its Functionality
AZNFS-mount is designed to facilitate the mounting of Azure Storage Account NFS endpoints, providing users with reliable access to Azure Blob storage via the Network File System (NFS) protocol. This functionality is particularly crucial when endpoint IP addresses change, ensuring continuous and seamless access to storage resources.
The Nature of the Vulnerability
The core of this security flaw lies in a classic privilege escalation method involving a Set User ID (SUID) binary within the AZNFS-mount utility. Specifically, the mount.aznfs binary is installed with SUID permissions, allowing it to execute with the privileges of the file’s owner, which is root. This binary utilizes an insecure C function that can be exploited to execute arbitrary commands with root privileges.
Technical Details of the Exploit
When users execute the command `mount -t aznfs`, it triggers the vulnerable mount.aznfs binary. This binary, in turn, calls a script located at `/opt/microsoft/aznfs/mountscript.sh` using the `execv` function. Notably, `execv` preserves the original environment variables during execution.
Attackers can exploit this behavior by manipulating the `BASH_ENV` environment variable. By setting `BASH_ENV` to a value such as `$(command)`, Bash interprets this as a command to execute, subsequently evaluating its result as a filename to load. This manipulation allows attackers to execute arbitrary commands as root, potentially leading to severe consequences, including:
– Mounting Additional Storage Containers: Attackers can gain unauthorized access to other storage resources, leading to data breaches.
– Installing Malware: With root access, malicious software can be installed, compromising system integrity.
– Lateral Movement: Attackers can navigate through networks and cloud environments, escalating the scope of the attack.
Azure’s Response and Mitigation Measures
Despite Azure classifying this vulnerability as low severity, a fix has been implemented in version 2.0.11 of the AZNFS-mount utility. Azure customers utilizing Azure HPC images or employing NFS for Azure Storage are strongly advised to:
– Enable Auto-Update: Ensure the utility’s auto-update feature is active to receive the latest security patches promptly.
– Manual Update: Manually update to the latest version to mitigate the vulnerability.
The Kubernetes blob-csi-driver has already upgraded to the patched version as part of their security updates, underscoring the importance of this patch despite its low severity classification.
Broader Implications and Recommendations
Azure Blob Storage is one of Microsoft’s most popular cloud storage solutions, supporting various access methods, including REST API, SFTP, and NFS protocol. It’s crucial to note that access via NFS does not interoperate with other Azure Storage permission models, such as role-based and attribute access controls. The NFS endpoint lacks access controls, meaning access to the endpoint permits access to all objects in the storage container.
Organizations utilizing Azure storage should:
– Regularly Review Security Configurations: Conduct periodic assessments to identify and rectify potential vulnerabilities.
– Maintain Updated Utilities: Ensure all utilities and tools are up-to-date to prevent exploitation of known vulnerabilities.
– Implement Robust Access Controls: Utilize Azure Active Directory authentication and other security measures to enhance protection.
By proactively addressing these security concerns, organizations can safeguard their systems against potential exploits and maintain the integrity of their cloud environments.
