Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Microsoft Azure Vulnerability Allowed Code Execution, Data Theft

Microsoft on Monday shared information on patches and mitigations for a vulnerability impacting Azure Data Factory and Azure Synapse Pipelines.

Microsoft on Monday shared information on patches and mitigations for a vulnerability impacting Azure Data Factory and Azure Synapse Pipelines.

Tracked as CVE-20220-29972, the security hole was identified in the third-party Open Database Connectivity (ODBC) data connector used in Integration Runtime (IR) in the affected Azure services to connect to Amazon Redshift.

A remote attacker could have exploited the flaw to execute arbitrary commands across the IR infrastructure, impacting multiple tenants, the tech giant explains.

Microsoft notes that the issue allowed a user running jobs in a Synapse pipeline to execute remote commands, potentially acquiring the Azure Data Factory service certificate and running commands in another tenant’s Data Factory IR.

“These certificates are specific to Azure Data Factory and Synapse Pipelines, and do not pertain to the rest of Azure Synapse,” Microsoft explains.

The tech giant released patches for the security bug on April 15 and has credited researchers with Orca Security for reporting the vulnerability. Orca has named the flaw SynLapse.

“This vulnerability allows an attacker to access and control other customers’ Synapse workspaces, and leak sensitive data stored in the service including Azure’s service keys, API tokens, and passwords to other services,” Orca says.

The cloud security firm claims that the issue lies with the tenant separation in Azure Synapse and that Microsoft attempted several partial fixes before finally nailing the vulnerability down.

Advertisement. Scroll to continue reading.

“We addressed the vulnerability with the release of the security updates to remediate CVE-20220-29972. In addition, we also worked with the third-party vendor on fixing the vulnerability in the driver which has been released with our latest updates,” Microsoft notes.

Microsoft says that, in addition to addressing the command execution in the impacted driver, it reduced job execution privileges in Azure IR, hardened the service with additional validation layers, and revoked and reissued the backend service certificate and other exposed Microsoft credentials.

Orca says that, while the specific vulnerability was addressed, Microsoft did not resolve the weak tenant separation issue, which allowed the researchers to find different attack vectors that bypassed the deployed fixes twice.

Ultimately, however, Microsoft did implement mitigations that make exploitation much harder, yet the researchers continue to believe that there are weaknesses that the company should resolve in the Synapse service.

“There are areas in the service where a huge amount of Microsoft and 3rd party code, runs with SYSTEM permissions, processing customer controlled input. This runs on shared machines with access to Azure service keys and sensitive data of other customers. These areas of the service only have application-level separation and lack sandbox or hypervisor-level isolation,” Orca says.

The company added, “Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”

Microsoft says its analysis of the vulnerability hasn’t revealed any cases of abuse, other than the unauthorized access Orca’s researchers obtained during their investigation.

While Azure Data Factory or Azure Synapse pipeline customers who self-host IR (SHIR) but don’t have auto-updates enabled need to update to version 5.17.8154.2, no action is required from customers hosted in the cloud or on-premises with auto-updates enabled.

Related: Critical Vulnerabilities in Azure PostgreSQL Exposed User Databases

Related: Microsoft Confirms ‘NotLegit’ Azure Flaw Exposed Source Code Repositories

Related: Microsoft Informs Users of High-Severity Vulnerability in Azure AD

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.