Microsoft Azure Container Instances Privilege Escalation Vulnerability

A vulnerability allowing external control of file names or paths in Confidential Azure Container Instances has been identified. This issue enables an authorized attacker to locally elevate privileges by manipulating file shares to execute harmful code within the confidential ACI sidecar container, thereby escalating control from the host to the confidential containers.

Impact

Successful exploitation allows an attacker to execute code in the targeted guest environment of a confidential ACI container, potentially leading to unauthorized access or manipulation of sensitive data and resources.

Remediation

To address this vulnerability, users should update Helm charts to version 1.3012.25080101 or later and regenerate their Confidential Compute Environment (CCE) policy with a minimum infrastructure fragment SVN of 4. Instructions for updating the Azure CLI confcom extension and redeploying workloads are available in the Microsoft Security Update Guide.