From User to Root: Exploiting a Privilege Escalation Bug in Azure Storage Utility

-

 A critical privilege escalation vulnerability has been discovered in AZNFS-mount, a utility preinstalled on Azure HPC/AI Linux images. The flaw, which affects all versions up to 2.0.10, allows unprivileged users to escalate privileges to root, posing a serious threat to environments that rely on NFS access to Azure Blob storage.



What Is AZNFS-Mount and Why It Matters

AZNFS-mount enables mounting of Azure Storage Account NFS endpoints, simplifying data access even when IP addresses change. Installed via aznfs_install.sh, the tool includes binaries that require superuser permissions to manage mount points and DNAT rules. This utility is widely used in high-performance computing (HPC) and AI workloads in Azure.

The Vulnerability: SUID Misuse and Environment Variable Exploitation

At the core of the issue is the mount.aznfs binary, installed with the SUID bit (file mode 4755), allowing any user to execute it with root privileges. It leverages the execv function to run a Bash script (/opt/microsoft/aznfs/mountscript.sh) while preserving environment variables.

According to a detailed Varonis report, an attacker can manipulate the BASH_ENV environment variable to inject arbitrary commands. When BASH_ENV is set to something like $(malicious_command), Bash attempts to evaluate and execute the command during script execution — effectively granting root-level access.



Potential Impact

Successful exploitation could allow attackers to:

  • Mount unauthorized storage containers

  • Install backdoors or malware

  • Move laterally within cloud-hosted environments

Although Microsoft has classified the issue as low severity, the potential for damage in sensitive environments makes it a significant risk.

Who Is Affected and How to Mitigate

This vulnerability affects all AZNFS-mount versions up to 2.0.10. It is especially concerning for users of Azure HPC images or any deployments using NFS for Azure Storage.

A fix has been released in version 2.0.11, and Microsoft has updated the Kubernetes blob-csi-driver accordingly. Organizations are strongly advised to:

  • Enable auto-updates for AZNFS-mount

  • Or manually update to the latest patched version

  • Review access configurations on NFS-mounted Azure Blob storage

Why NFS Access in Azure Is Uniquely Risky

Unlike other Azure Storage access methods (REST API, SFTP), NFS endpoints do not support Azure’s role-based access control (RBAC) or attribute-based policies. If an attacker gains NFS access, they can access all objects in the container, regardless of storage-level permissions.

While Microsoft downplays the severity, the presence of a root-exploitable SUID binary in a default utility demands urgent attention. As with all cloud environments, regular reviews of access controls and security configurations remain critical to maintaining a strong security posture.

Comments

Post a Comment

Popular posts from this blog

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

New Diicot Threat Group Targets SSH Servers with Brute-Force Malware

-
Image
  Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery. Researchers from Cado Labs reported that an emerging Romanian threat actor called Diicot is utilizing unique TTPs (Tactics, Techniques, and Procedures) and an interesting attack pattern to target victims. The researchers noted that the group has been using brute-force malware whose payloads have neither been publicly reported nor appeared in common repositories. About Diicot Threat Group Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery. Previous research by Akamai and Bitdefender reveals ...
Read more