SMA Technologies OpCon UNIX agent adds the same SSH key on every installation and subsequent updates. An attacker with access to the private key can gain root access on affected systems.
Description
During OpCon UNIX agent installation and updates, an SSH public key is added to the root account's authorized_keys file. The corresponding private key titled sma_id_rsa is included with the installation files and is not encrypted with a passphrase. Removal of the OpCon software does not remove the entry from the authorized_keys file.
Impact
An attacker with access to the private key included with the OpCon UNIX agent installation files can gain SSH access as root on affected systems.
The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.
Description
The uClibc and the Uclibc-ng software are lightweight C standard libraries intended for use in embedded systems and mobile devices. The uClibc library has not been updated since May of 2012. The newer uClibc-ng is the currently maintained fork of uClibc, as announced on the OpenWRT mailing list in July 2014.
Researchers at the Nozomi Networks Security Research Team discovered that all existing versions of uClibc and uClibc-ng libraries are vulnerable to DNS cache poisoning. These libraries do not employ any randomization in the DNS Transaction ID (DNS TXID) field when creating a new DNS request. This can allow an attacker to send maliciously crafted DNS packets to corrupt the DNS cache with invalid entries and redirect users to arbitrary sites. As uClibc and uClibc-ng are used in devices such as home routers and firewalls, an attacker can perform attacks against multiple users in a shared network environment that relies on DNS responses from the vulnerable device.
The DNS cache poisoning scenarios and defenses are discussed in IETF RFC5452.
Impact
The lack of DNS response validation can allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to malicious sites.
Solution
Apply a patch
If your vendor has developed a patched version of uClibc or uClibc-ng to address this issue, apply the updates provided by your vendor. uClibc-ng was updated to 1.0.41 on 05/20/2022.
Product Developers
If you have a forked or customized version of uClibc or uClibc-ng, develop or adopt a patch to ensure the dns_lookup function provides adequate randomization of DNS TXID's while making DNS requests. Review and consider applying the patch has been made available in patchwork repository of uClibc-ng with VU#638879 tag.
Follow security best practices
Consider the following security best-practices to protect DNS infrastructure:
Prevent direct exposure of IoT devices and lightweight devices over the Internet to minimize attacks against a caching DNS server.
Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS recursion services where applicable.
Implement a Secure By Default configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).
Acknowledgements
Thanks to the Nozomi Networks Security Research Team for this report
This document was written by Vijay Sarvepalli and Timur Snoke.
Tychon contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user may be able to place files.
Description
Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.
Impact
By placing a specially-crafted openssl.cnf in a location used by Tychon, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Tychon software installed.
Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt.
Description
Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a value that reflects the path where Qt exists on the system that was used to build Qt. For example, it may refer to a specific subdirectory within C:\Qt\, which is the default installation location for Qt on Windows. If software that is built with Qt runs with privileges on a Windows system, this may allow for privilege escalation due to the fact that Windows by default allows unprivileged users to create subdirectories off of the root C:\ drive location.
In 2015, a patch was made to windeployqt to strip out any existing qt_prfxpath value from Qt5Core.dll. If Windows software that uses Qt prior to version 5.14 is not properly packaged using windeployqt, then it may be vulnerable to privilege escalation.
Impact
By placing a file in an appropriate location on a Windows system, an unprivileged attacker may be able to execute arbitrary code with the privileges of the software that uses Qt.
Solution
Apply an update
This issue is addressed in Qt 5.14. Starting with this version, Qt no longer hard-codes the qt_prfxpath value in Qt5Core.dll.
Run windeployqt to prepare Windows Qt software for deployment
The windeployqt utility will replace the qt_prfxpath value in the Qt core DLL with the value of ., which helps prevent this path from being used to achieve privilege escalation.
The Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
The Spring Framework is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.
Exploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.
By providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.
Visual Voice Mail (VVM) services transmit unencrypted credentials via SMS. An attacker with the ability to read SMS messages can obtain VVM IMAP credentials and gain access to VVM data.
Description
VVM is specified by Open Mobile Terminal Platform-OMPT and is implemented with SMS and IMAP (and other protocols). VVM IMAP credentials are sent unencrypted in SMS messages. From vvm-disclosure:
When a client sends any sort of STATUS SMS (activate, deactivate, status), the carrier will respond with all credentials needed to log into the IMAP server (i.e. username, password, server host-name).
To intercept an SMS message, an attacker would need, for example:
* temporary physical access to the SIM card,
* to operate a spoofed a base station (cell tower), or
* to convince a user to install a malicious application that has SMS access.
VVM IMAP services may be widely accessible over the internet or carrier networks.
There is no indication on to a victim that someone else has access to their VVM. Android leaves their VVMs on the IMAP server until the client deletes it, so any VVMs on the client are accessible to a malicious actor.
Impact
An attacker with the ability to read SMS messages can obtain VVM IMAP credentials and gain access to VVM data.
Solution
We are not aware of a practical solution to this vulnerability.
Take general precautions against SMS interception.
If supported, change your VMM password on some basis.
Delete VMM data quickly.
Acknowledgements
Thanks to Chris Talbot for researching and reporting this vulnerability.
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. These services and their associated apps can be used to perform non-consensual, unauthorized monitoring and are commonly called "stalkerware." An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.
Description
IDOR is a common web application flaw that essentially exposes information on a server because of insufficient authentication or authorization controls. Multiple services and apps are affected by this backend vulnerability. A list of known vendors is included below.
An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.
Solution
We are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability.
Before you proceed, have a safety plan in place. The Coalition Against Stalkerware offers advice and guidance for victims and survivors of stalkerware. Spyware is designed to be covert, but keep in mind that removing the spyware from your phone will likely alert the person who planted it, which could create an unsafe situation.
Acknowledgements
Thanks to Zack Whittaker from TechCrunch for researching and reporting this vulnerability and investigating the wider security concerns related to stalkerware.
This document was written by James Stanley and Art Manion.
The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM).
Description
UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. SMM's privileges, also referred to as "Ring -2," exceed the privileges of the operating system's kernel ("Ring-0"). For this reason, SMM is executed in a protected area of memory called the SMRAM. It is typically accessed via System Management Interrupt (SMI) Handlers using communication buffers, which are also known as "SMM Comm Buffers." The SMM also provides protection against SPI flash modifications and performs boot time verifications similar to those performed by SecureBoot.
UEFI software requires both openness (for hardware drivers, pluggable devices and Driver eXecution Environment (DXE) updates) as well as very tight security controls (for e.g., SMM Comm Buffer Security), making it a complex software that needs a thorough set of security controls that need validation throughout the software's lifecycle. UEFI also supports recent capabilities like Virtual Machine Manager (VMM) for virtualization and the increasing demand of virtual computing resources.
Insyde's H2O UEFI firmware contains several (23) memory management vulnerabilities that were disclosed by Binarly. While these vulnerabilities were discovered in Fujitsu and Bull Atos implementations of Insyde H2O software, the same software is also present in many other vendor implementations due to the complex UEFI supply chain. The vulnerabilities can be classified by the following UEFI vulnerability categories.
Vulnerability Category
Count
SMM Privilege Escalation
10
SMM Memory Corruption
12
DXE Memory Corruption
1
Impact
The impacts of these vulnerabilities vary widely due to the nature of SMM capabilities. As an example, a local attacker with administrative privileges (or a remote attacker with administrative privileges) can exploit these vulnerabilities to elevate privileges above the operating system to execute arbitrary code in SMM mode. These attacks can be invoked from the operating system using the unverified or unsafe SMI Handlers, and in some cases these bugs can also be triggered in the UEFI early boot phases ( as well as sleep and recovery like ACPI) before the operating system is initialized.
In summary, a local attacker with administrative privileges (in some cases a remote attacker with administrative privileges) can use malicious software to perform any of the following:
Invalidate many hardware security features (SecureBoot, Intel BootGuard)
Install persistent software that cannot be easily erased
Create backdoors and back communications channels to exfiltrate sensitive data
Solution
Install the latest stable version of firmware provided by your PC vendor or your nearest reseller of your computing environments. See the links below to resources and updates provided by specific vendors.
If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), apply the related software security updates. Binarly has also provided a set of UEFI software detection rules called FwHunt rules to assist with identifying vulnerable software. LVFS applies these FwHunt rules to detect and support the fix of firmware updates that are impacted by this advisory.
Acknowledgements
The efiXplorer team of Binarly researched and reported these vulnerabilities to Insyde Software. Insyde Software worked closely with CERT/CC during the coordinated disclosure process for these vulnerabilities.
The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.
Description
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba with vfs_fruit configured allows out-of-bounds heap read and write via specially crafted extended file attributes.
For more information, see the Samba announcement for CVE-2021-44142 and bug 14914. Also available for reference is a detailed blog post from ZDI.
Impact
A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
Access as a user that has write access to a file's extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.
Solution
Apply an update
Samba has released versions 4.13.17, 4.14.12, and 4.15.5.
Disable vfs_fruit
As a workaround, remove 'fruit' from 'vfs objects' lines in Samba configuration files (e.g., smb.conf).
Acknowledgements
Thanks to Orange Tsai of DEVCORE for researching and reporting this vulnerability. Thanks also to Samba, ZDI, and Western Digital for coordination efforts.
This document was written by James Stanley and Art Manion.
McAfee Agent contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user may be able to place files.
Description
CVE-2022-0166
McAfee Agent, which comes with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. McAfee Agent contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.
Impact
By placing a specially-crafted openssl.cnf in a location used by McAfee Agent, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable McAfee Agent software installed.
Solution
Apply an update
This vulnerability is addressed in McAfee Agent version 5.7.5.
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.
CVE-2020-9057 Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets do not support encryption.
CVE-2020-9058 Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 encapsulation do not implement encryption or replay protection.
CVE-2020-9059 Z-Wave devices based on Silicon Labs 500 series chipsets using S0 authentication are susceptible to uncontrolled resource consumption which can lead to battery exhaustion.
CVE-2020-9060 Z-Wave devices based on Silicon Labs 500 series chipsets using S2 are susceptible to denial of service and resource exhaustion via malformed SECURITY NONCE GET, SECURITY NONCE GET 2, NO OPERATION, or NIF REQUEST messages.
CVE-2020-9061 Z-Wave devices based on Silicon Labs 500 and 700 series chipsets are susceptible to denial of service via malformed routing messages.
CVE-2020-10137 Z-Wave devices based on Silicon Labs 700 series chipsets using S2 do not adequately authenticate or encrypt FIND_NODE_IN_RANGE frames.
Impact
Depending on the chipset and device, an attacker within Z-Wave radio range can deny service, cause devices to crash, deplete batteries, intercept, observe, and replay traffic, and control vulnerable devices.
Solution
Mitigations for these vulnerabilities vary based on the chipset and device. In some cases it may be necessary to upgrade to newer hardware, for example, 500 and 700 series chipsets that support S2 authentication and encryption.
Acknowledgements
Thanks to Carlos Kayembe Nkuba, Seulbae Kim, Sven Dietrich, and Heejo Lee for researching and reporting these vulnerabilities.
This document was written by Timur Snoke and Art Manion.
Saviynt Enterprise Identity Cloud contains user enumeration and authentication bypass vulnerabilities in the local password reset feature. Together, these vulnerabilities could allow a remote, unauthenticated attacker to gain administrative privileges if an SSO solution is not configured for authentication.
Description
Saviynt Enterprise Identity Cloud contains two vulnerabilities in the password reset feature for the local authentication system. Specifying the id parameter returns user names and it is common that accounts with administrative privileges have low (often single digit) id values.
It is then possible to either unhide a button or directly access a URL that bypasses verification and allows the password to be changed. Accessing a login URL with the new credentials yields cookies that can be used to authenticate to the Enerprise Identity Cloud instance.
If another authentication or SSO system is configured, then it is not possible to exploit these vulnerabilities.
Impact
A remote, unauthenticated attacker can enumerate users and bypass authentication to change the password of an existing administrative user. The attacker can then perform administrative actions and possibly make changes to other connected authentication systems.
Solution
Saviynt has deployed a backend update for the software that resolves the issue in Saviynt IGA Release v5.5 SP2.x and later versions. As an additional layer of security, as the impacted URLs are not commonly used by customers leveraging SSO, Saviynt has blocked access to the URLs needed to exploit these vulnerabilities.
Saviynt users should not need to take any action but might want to confirm they are running a fixed version.
Acknowledgements
This document was written by Eric Hatleback and Art Manion.
Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.
The default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can be exploited to exfiltrate data or execute arbitrary code via remote services such as LDAP, RMI, and DNS.
This vulnerability note includes information about the following related vulnerabilities.
CVE-2021-44228 tracks the initial JNDI injection and RCE vulnerability in Log4j 2. This vulnerability poses considerabily more risk than the others.
CVE-2021-4104 tracks a very similar vulnerability that affects Log4j 1 if JMSAppender and malicious connections have been configured.
CVE-2021-45046 tracks an incomplete fix for CVE-2021-44228 affecting Log4j 2.15.0 when an attacker has "...control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern."
We provide tools to scan for vulnerable jar files.
Certain conditions must be met to make Log4j 1.x vulnerable:
Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
Log4j API code alone is not affected:
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Impact
A remote, unauthenticated attacker with the ability to log specially crafted messages can cause Log4j to connect to a service controlled by the attacker to download and execute arbitrary code.
Solution
In Log4j 2.12.2 (for Java 7) and 2.16.0 (for Java 8 or later) the message lookups feature has been completely removed. In addition, JNDI is disabled by default and other default configuration settings are modified to mitigate CVE-2021-44228 and CVE-2021-45046.
For Log4j 1, remove the JMSAppender class or do not configure it. Log4j 1 is not supported and likely contains unfixed bugs and vulnerabilities (such as CVE-2019-17571).
For applications, services, and systems that use Log4j, consult the appropriate vendor or provider. See the CISA Log4j Software List and the Vendor Information section below.
Workarounds
Remove the JndiLookup class from the classpath, for example:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
As analysis has progressed, certain mitigations have been found to be less effective or incomplete. See "Older (discredited) mitigation measures" on the Apache Log4j Security Vulnerabilities page.
SLF4J also recommends write-protecting Log4j configuration files.
Acknowledgements
Apache credits Chen Zhaojun of Alibaba Cloud Security Team for reporting CVE-2021-44228 and CVE-2021-4104 and Kai Mindermann of iC Consult for CVE-2021-45046.
Attacks that allow for unintended control of Unicode and homoglyphic characters, described by the researchers in this report leverage text encoding that may cause source code to be interpreted differently by a compiler than it appears visually to a human reviewer. Source code compilers, interpreters, and other development tools may permit Unicode control and homoglyph characters, changing the visually apparent meaning of source code.
Description
Internationalized text encodings require support for both left-to-right languages and also right-to-left languages. Unicode has built-in functions to allow for encoding of characters to account for bi-directional, or Bidi ordering. Included in these functions are characters that represent non-visual functions. These characters, as well as characters from other human language sets (i.e., English vs. Cyrillic) can also introduce ambiguities into the code base if improperly used.
This type of attack could potentially be used to compromise a code base by capitalizing on a gap in visually rendered source code as a human reviewer would see and the raw code that the compiler would evaluate.
Impact
The use of attacks that incorporate maliciously encoded source code may go undetected by human developers and by many automated coding tools. These attacks also work against many of the compilers currently in use. An attacker with the ability to influence source code could introduce undetected ambiguity into source code using this type of attack.
Solution
The simplest defense is to ban the use of text directionality control characters both in language specifications and in compilers implementing these languages.
Two CVEs were assigned to address the two types of attacks described in this report.
CVE-2021-42574 was created for tracking the Bidi attack.
CVE-2021-42694 was created for tracking the homoglyph attack.
Acknowledgements
Thanks to the reporters, Nicholas Boucher and Ross Anderson of The University of Cambridge (UK).
The default security configuration in Salesforce allows an authenticated user with the Salesforce-CLI to create URL that will allow anyone, anywhere access to the Salesforce GUI with the same administrative credentials without a log trace of access or usage of the API.
Description
The Salesforce-cli interface allows an authenticated user to create an access URL using the CLI interface. This URL can be shared as a link, so anyone who has the link can access this site from anywhere (any IP address or any device) with the same access rights as the creator or the URL. This access is only available for the duration of the access token, however this new access will not be logged or tracked in any way available to the user or to the user's organization. The generated URL requires no user/pass or any form of challenge/response, such as MFA, to verify the identity of the new access. OWASP API Security 2019 recommends a number of protections (relevant sections API2:2019, API6:2019 and API10:2019) of API endpoints that will prevent potential abuse of such API endpoints by malicious actors, including malicious insiders.
Impact
An unauthenticated user who gains access to an URL, generated by Salesforce-cli, can perform administrative actions as if logged in with the same rights as the account owner who generated the URL. This includes the ability to add user accounts that have administrative rights, manage existing users or applications, and any other action that is available to the user who generated the URL.
Solution
In the Salesforce GUI you can Modify Session Security Settings, it is possible to Lock Sessions to the IP address that the session originated on, which would limit the ability for the URL to be shared with other hosts. The default configuration does not have this lock enabled because it may impact various applications and some mobile devices. It is also possible to lock down sessions using domain names instead of IP addresses. It is recommended that Salesforce customers verify that their applications do not require such untethered or unmonitored access or that using custom generated URL's is currently required in their operations before enforcing the above recommended access control.
Acknowledgements
Thanks to the reporter, who wishes to remain anonymous, for reporting this vulnerability.
Google Project Zero has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, at least half of which exist because previous bugs were not properly addressed.
A blog post published by Google’s Threat Analysis Group on Thursday describes the activities of hack-for-hire gangs in Russia, India and the United Arab Emirates.
The internet giant has added more than 30 domains used by these threat groups to its Safe Browsing mechanism, which prevents users from accessing them.
Chicago-based Infrastructure-as-Code (IaC) startup oak9 has attracted new interest from venture capitalists with Cisco Investments and Morgan Stanley’s Next Level Fund joining a new $8 million funding round.
The infamous North Korean Lazarus hacking group is the prime suspect in the $100 million hack of Harmony’s Horizon Bridge, according to new data and research from blockchain analytics firm Elliptic.
Wearable authentication solutions provider Token this week announced that it has raised $13 million in Series B funding. To date, the company has raised $22.9 million.
Led by Grand Oaks Capital, the investment round will allow Token to accelerate product development and to increase demand for its technology.
Google this week announced that new warnings added in the Google Workspace Alert Center will keep administrators notified of critical and sensitive configuration changes.
A remote access trojan (RAT) targeting small office/home office (SOHO) devices has remained undetected for nearly two years, according to security researchers with Black Lotus Labs, the threat intelligence arm of Lumen Technologies.
Broadcom revealed recently that some of the software provided by its storage networking subsidiary Brocade is affected by several vulnerabilities, and it seems possible that the flaws could impact the products of several major companies.
Cybersecurity firm Checkmarx has published details on a high-severity vulnerability in the Amazon Photos Android application that could have allowed malicious apps to steal an Amazon access token.
In the last couple of years, events were taken online, moved to virtual forums and conducted using social platforms via video set-up. Events became simpler to attend, but the individual component of the experience was missing – we all wanted to mix with our peers and see the eyes of a vendor as they pitch their latest message for automation, intelligence, analytics, or response solutions for cybersecurity.
A Canadian national has pleaded guilty in a United States court to charges related to his role in a cybercrime operation involving the NetWalker ransomware.
Sebastien Vachon-Desjardins, 34, is a former Canadian government employee. He was previously sentenced to seven years in prison in Canada for ransomware attacks.
Microsoft has patched a vulnerability that could allow an attacker with access to an Azure Linux container to escalate privileges and take over the entire cluster.