back to article FabricScape: Microsoft warns of vuln in Service Fabric

Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release. The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/ …

  1. Pascal Monett Silver badge
    Coat

    "Windows has been thoroughly vetted"

    Oh really ?

    You don't say. By who ?

    Maybe you get some of those guys to thoroughly vet your updates as well ?

    Silly me, I need some more frog pills . . .

    1. ITMA Silver badge
      Devil

      Re: "Windows has been thoroughly vetted"

      The Vet - Windows 11 has been well and truly neutered.

      1. Wellyboot Silver badge

        Re: "Windows has been thoroughly vetted"

        >>>"By design," said Microsoft, "root access on the machine hosting the SF note is not considered a security boundary in an SF cluster; the highest privileged role on a node is equally privileged anywhere in the same cluster."<<<

        By design root access is not a security boundary ! - MS harking back to DOS then...

  2. Lars
    Coat

    Is Microsoft in the process of giving Linux a bad reputation among MS users.

  3. Anonymous Coward
    Anonymous Coward

    What?

    This is an issue with Microsoft's Service Fabric, but it's Linux's fault because a process running in Linux can escape and take over the Service Fabric cluster. Maybe Service Fabric server should control what processes can access, not the guest.

    1. ElReg!comments!Pierre

      Re: What?

      My thought exactly. It's a Linux issue because Windows doesn't allow you to do much so you can't exploit this Microsoft bug from Windows...

      - Embrace : Check, Linux on Azure

      - Extend : not an issue in a Cloud, it's more like "Empower" there (still an "E" so in-spec)

      - Extinguish : Let's artificially create security bugs on our platform that are only exploitable from the competition's guest, then claim it's the guest's fault.

      1. gerryg

        Re: What?

        At best it's an admin issue.

        Execute privileges are required to exploit this vulnerability. Once you have given away execute privileges you have given away everything.

        That's why users don't get execute privileges.

        There's a reason 666 is the number of the beast

        1. ElReg!comments!Pierre

          Re: What?

          "That's why users don't get execute privileges.

          There's a reason 666 is the number of the beast"

          666 is the number of the beast because it gives me the privilege to execute users who demand it. Or did I get that wrong all that time ?

        2. Anonymous Coward
          Anonymous Coward

          Re: What?

          Except on Windows which has proper constrained delegation so execute can still be restricted as to what it can do.

    2. Anonymous Coward
      Linux

      Re: What?

      OTOH, I would be significantly less pleased if M$ inmposed its Windoze restrictions on Linux.

      1. Anonymous Coward
        Anonymous Coward

        Re: What?

        And fixed its security you mean? Such that you can delegate rights granularly and SUDO doesn't need root privileges.

        1. ElReg!comments!Pierre
          Facepalm

          Re: What?

          "Such that you can delegate rights granularly and SUDO doesn't need root privileges."

          Can you elaborate on that ? because that's someting *Nix has been doing for a few decades now, and that MS just figured they might try to emulate, like, last year or so. And they spectacularly failed.

  4. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like