A critical security vulnerability in AZNFS-mount, an Azure utility that allows attackers to escalate privileges from an unprivileged user to root on Linux machines. The vulnerability affects all versions up to 2.0.10 of the utility, which comes preinstalled on Azure HPC/AI images.
The security flaw involves a classic privilege escalation method using a Set User ID (SUID) binary that is part of the AZNFS-mount utility installation, Varonis said in a report shared with Cyber Security News.
This utility is designed to mount Azure Storage Account NFS endpoints, enabling users to reliably access Azure Blob storage via NFS when endpoint IP addresses change.
.png
)
AZNFS Mount is installed using an installation script (aznfs_install.sh) that runs as the root account, creating binaries that operate with superuser privileges to establish mount points and modify DNAT rules.
The vulnerability lies in the mount.aznfs binary, which is installed with SUID permissions and uses an insecure C function that can be exploited to execute arbitrary commands with root privileges.
Azure Storage Utility Vulnerability
“When users execute ‘mount -t aznfs’, this runs the vulnerable binary ‘mount.aznfs’, which calls a script to create the mount point,” explained Varonis researchers in their disclosure published earlier this week.
The vulnerability centers around the mount.aznfs binary, which is packaged with the 4755 file mode-meaning the SUID bit is activated and anyone can execute it.
The binary executes a Bash file located in /opt/microsoft/aznfs/mountscript.sh using the execv function, which preserves the original environment variables.
The exploitation involves manipulating the BASH_ENV environment variable. According to Varonis researchers, “By setting BASH_ENV to a value such as ‘$(command)’, Bash executes the command and tries to evaluate its result as a filename to load”.
This allows attackers to execute arbitrary commands as root, potentially enabling them to mount additional storage containers, install malware, or move laterally through networks and cloud environments.
Despite being classified as low severity by Azure, a fix has been merged to version 2.0.11 of the AZNFS-mount utility. Azure customers using Azure HPC images or utilizing NFS for Azure Storage should immediately enable the utility’s auto-update feature or manually update to the latest version.
The Kubernetes blob-csi-driver has already upgraded to the patched version as part of their security updates, indicating the importance of this patch despite its “low severity” classification.
Azure Blob Storage, one of Microsoft’s most popular cloud storage solutions, supports various access methods, including REST API, SFTP, and NFS protocol.
It’s important to note that access via NFS doesn’t interoperate with other Azure Storage permission models, such as role-based and attribute access controls. The NFS endpoint lacks access controls, meaning access to the endpoint permits access to all objects in the storage container.
Organizations using Azure storage should review their security configurations regularly and maintain updated utilities to prevent potential exploitation of vulnerabilities like this one.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
