[n2d4]

The important part:

  > Now what have we gained with root access to the container?

  > Absolutely nothing!

  > We can now use this access to explore parts of the container that were previously inaccessible to us. We explored the filesystem, but there were no files in /root, no interesting logging to find, and a container breakout looked out of the question as every possible known breakout had been patched.

I'm sure there are more ways to acquire root. If Microsoft pays out for one, they have to pay out for all, and it seems pretty silly to do that for something that's slightly unintended but not dangerous.

[bramhaag]

  > a container breakout looked out of the question as every possible known breakout had been patched

This is the part that concerns me. It only encourages an attacker to sit on an exploit like this until a new container breakout is discovered.

[tptacek]

Are you not concerned about all the other platforms that rely on containers as security boundaries between tenants? There are a lot of them.

[bgwalter]

It is hard to answer that since the stack is so convoluted. Some parts are forced on the user. Copilot is built into Microsoft Office workplace applications.

If you break out of a container, do you have access to the same system that serves these applications? Who knows, it looks like a gigantic mess.

[whazor]

I expect that they run their containers more isolated as virtual machines. So they have bigger problems of there is a breakout possible.

[nicce]

Severity is based on impact. What was the impact here beyond single container and that specific user instance? Feels like moderate was okay, or even too high.

[DSMan195276]

IMO if they truly don't consider it dangerous then they shouldn't have considered it a vulnerability at all, just a non-security bug. Labeling it a moderate vuln and not paying just seems like a bad middle ground to me, as though they haven't really decided if restricted root permissions is part of the security model or not.

[eddythompson80]

Eh, I’m guessing it’s just one of those bugs that have to be categorized as security, but the design assumes that this particular security layer is leaky and is only really there for the experience rather than actual security.

The container is almost certainly running with hypervisor isolation. The trust boundary is with the container. But an LLM is executing arbitrary code in a Jupyter notebook there. It could trash the container, which is not a security issue in itself (again since your boundary is hypervisor anyway) but it’s a pretty shitty experience. Suddenly copilot could trash its container and it no longer can execute code and you’re stuck until whatever session or health check kicks in to give you a new instance. So running LLM generated code/commands in a non-root user makes it easier to have a better experience.

At the same time, you’ll be laughed at if you don’t categorize a root escalation when not expected as a “not a security issue”

[amelius]

Maybe this was their honeypot container.