Azure Serverless Functions escape to host

Published Thu, Dec 15th, 2022


In Azure Serverless Functions, a new container is generated by the host for every function, which is then terminated and deleted after several minutes. Palo Alto discovered that an API call was available to bind one path to another within the container (called "init_server_pkg_mount_BindMount") that could be called by a low-privileged user but executed with root privileges. This could enable a malicious tenant to escalate their privileges to root, and then escape their container by abusing the Linux cgroup v1 “notification on release” feature (a well-known escape to host technique). This last step was possible because the container had been granted the SYS_ADMIN capability, did not have an AppArmor profile, and the cgroup v1 virtual filesystem was mounted as read-writable from within the container (all against container hardening best practice). However, the underlying HyperV host was single-tenant, thereby limiting the blast radius of this vulnerability chain. Following disclosure, Azure added additional validation for bind mount APIs, but the other elements of this attack sequence remain exploitable.

Affected Services

Azure Serverless Functions


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Thu, Dec 15th, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Aviv Sasson, Daniel Prizmant, Palo Alto