Orca Security researchers discovered a new vulnerability called Super FabriXss (CVE-2023-23383 – CVSS score: 8.2) in Azure Service Fabric Explorer that allows unauthenticated remote code execution.

Azure Service Fabric Explorer is a web-based management tool that allows users to visualize and monitor their Service Fabric clusters. It provides detailed information on the status of applications, services, and nodes within the cluster, as well as metrics, logs, and diagnostics. It also allows users to perform administrative tasks such as creating or deleting applications and services, upgrading or scaling them, and viewing health reports.

The vulnerability can be exploited by sending a crafted URL to any Azure Service Fabric user, and once the iframe is embedded, the attacker can take control of the target system and potentially take control of the cluster node.

The Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication. What started initially as a discovery of an XSS vulnerability that allowed a malicious script to be reflected off a web application, ended up being a full remote code execution (RCE) vulnerability after clicking on a crafted malicious URL and toggling the ‘Cluster’ Event Type setting under the Events tab.

Microsoft has released a security update to address the vulnerability.