Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cloud Security

Microsoft Azure Vulnerability Allowed Code Execution, Data Theft

Microsoft on Monday shared information on patches and mitigations for a vulnerability impacting Azure Data Factory and Azure Synapse Pipelines.

Microsoft on Monday shared information on patches and mitigations for a vulnerability impacting Azure Data Factory and Azure Synapse Pipelines.

Tracked as CVE-20220-29972, the security hole was identified in the third-party Open Database Connectivity (ODBC) data connector used in Integration Runtime (IR) in the affected Azure services to connect to Amazon Redshift.

A remote attacker could have exploited the flaw to execute arbitrary commands across the IR infrastructure, impacting multiple tenants, the tech giant explains.

Microsoft notes that the issue allowed a user running jobs in a Synapse pipeline to execute remote commands, potentially acquiring the Azure Data Factory service certificate and running commands in another tenant’s Data Factory IR.

“These certificates are specific to Azure Data Factory and Synapse Pipelines, and do not pertain to the rest of Azure Synapse,” Microsoft explains.

The tech giant released patches for the security bug on April 15 and has credited researchers with Orca Security for reporting the vulnerability. Orca has named the flaw SynLapse.

“This vulnerability allows an attacker to access and control other customers’ Synapse workspaces, and leak sensitive data stored in the service including Azure’s service keys, API tokens, and passwords to other services,” Orca says.

Advertisement. Scroll to continue reading.

The cloud security firm claims that the issue lies with the tenant separation in Azure Synapse and that Microsoft attempted several partial fixes before finally nailing the vulnerability down.

“We addressed the vulnerability with the release of the security updates to remediate CVE-20220-29972. In addition, we also worked with the third-party vendor on fixing the vulnerability in the driver which has been released with our latest updates,” Microsoft notes.

Microsoft says that, in addition to addressing the command execution in the impacted driver, it reduced job execution privileges in Azure IR, hardened the service with additional validation layers, and revoked and reissued the backend service certificate and other exposed Microsoft credentials.

Orca says that, while the specific vulnerability was addressed, Microsoft did not resolve the weak tenant separation issue, which allowed the researchers to find different attack vectors that bypassed the deployed fixes twice.

Ultimately, however, Microsoft did implement mitigations that make exploitation much harder, yet the researchers continue to believe that there are weaknesses that the company should resolve in the Synapse service.

“There are areas in the service where a huge amount of Microsoft and 3rd party code, runs with SYSTEM permissions, processing customer controlled input. This runs on shared machines with access to Azure service keys and sensitive data of other customers. These areas of the service only have application-level separation and lack sandbox or hypervisor-level isolation,” Orca says.

The company added, “Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”

Microsoft says its analysis of the vulnerability hasn’t revealed any cases of abuse, other than the unauthorized access Orca’s researchers obtained during their investigation.

While Azure Data Factory or Azure Synapse pipeline customers who self-host IR (SHIR) but don’t have auto-updates enabled need to update to version 5.17.8154.2, no action is required from customers hosted in the cloud or on-premises with auto-updates enabled.

Related: Critical Vulnerabilities in Azure PostgreSQL Exposed User Databases

Related: Microsoft Confirms ‘NotLegit’ Azure Flaw Exposed Source Code Repositories

Related: Microsoft Informs Users of High-Severity Vulnerability in Azure AD

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...