Service Fabric Explorer (SFX) web client CVE-2023-23383 spoofing vulnerability

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Service Fabric Explorer (SFX) is the web client used when accessing a Service Fabric (SF) cluster from a web browser. The version of SFX used is determined by the version of your SF cluster. We are providing this blog to make customers aware that running Service Fabric versions 9.1.1436.9590 and below are affected. These versions could potentially allow unwanted code execution in the cluster if an attacker can successfully convince a victim to click a malicious link and perform additional actions in the Service Fabric Explorer interface. This issue has been resolved in Service Fabric 9.1.1583.9589 released on March 14th, 2023, as CVE-2023-23383 which had a score of CVSS: 8.2 / 7.1. See the Technical Details section for more information. 

Affected versions 

This vulnerability affects Service Fabric versions 9.1.1436.9590 and below. Information on Service Fabric versions can be found at Azure Service Fabric versions. 

Fix 

The CVE-2023-23383 was published on March 14, 2023, released as Service Fabric version 9.1.1583.9590 fully addresses this issue. 

  • All Service Fabric Clusters with auto upgrade enabled are already on version 9.1.1583.9590 that protects against this issue. No further action is needed.  
  • All Service Fabric customers that do not have auto upgrade enabled should act to upgrade to 9.1.1583.9590 to be fully protected against this issue. See more details on how to upgrade by visiting Manage Service Fabric cluster upgrades. 

Technical Details 

An attacker could send an authenticated cluster operator a specifically crafted URL which includes the cluster’s address, a specific path, and an encoded payload. The victim would need to click the malicious link and authenticate to the cluster, at which point Service Fabric Explorer would load and display like below.  

jeffj6123_0-1680193953716.png

The user would then need to click the “Event Type” drop down. 

jeffj6123_1-1680193953723.png

Then the user would need to toggle either Cluster or Repair Tasks, at this point the payload embedded in the URL would be executed in the context of that user’s session. 

jeffj6123_2-1680193953726.png

 

We thank Orca Security for informing us of this vulnerability and working with us under Coordinated Vulnerability Disclosure to help protect our customers. 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.