Microsoft on Monday shared information on patches and mitigations for a vulnerability impacting Azure Data Factory and Azure Synapse Pipelines.
Tracked as CVE-20220-29972, the security hole was identified in the third-party Open Database Connectivity (ODBC) data connector used in Integration Runtime (IR) in the affected Azure services to connect to Amazon Redshift.
A remote attacker could have exploited the flaw to execute arbitrary commands across the IR infrastructure, impacting multiple tenants, the tech giant explains.
Microsoft notes that the issue allowed a user running jobs in a Synapse pipeline to execute remote commands, potentially acquiring the Azure Data Factory service certificate and running commands in another tenant’s Data Factory IR.
“These certificates are specific to Azure Data Factory and Synapse Pipelines, and do not pertain to the rest of Azure Synapse,” Microsoft explains.
“This vulnerability allows an attacker to access and control other customers’ Synapse workspaces, and leak sensitive data stored in the service including Azure’s service keys, API tokens, and passwords to other services,” Orca says.
The cloud security firm claims that the issue lies with the tenant separation in Azure Synapse and that Microsoft attempted several partial fixes before finally nailing the vulnerability down.
“We addressed the vulnerability with the release of the security updates to remediate CVE-20220-29972. In addition, we also worked with the third-party vendor on fixing the vulnerability in the driver which has been released with our latest updates,” Microsoft notes.
Microsoft says that, in addition to addressing the command execution in the impacted driver, it reduced job execution privileges in Azure IR, hardened the service with additional validation layers, and revoked and reissued the backend service certificate and other exposed Microsoft credentials.
Orca says that, while the specific vulnerability was addressed, Microsoft did not resolve the weak tenant separation issue, which allowed the researchers to find different attack vectors that bypassed the deployed fixes twice.
Ultimately, however, Microsoft did implement mitigations that make exploitation much harder, yet the researchers continue to believe that there are weaknesses that the company should resolve in the Synapse service.
“There are areas in the service where a huge amount of Microsoft and 3rd party code, runs with SYSTEM permissions, processing customer controlled input. This runs on shared machines with access to Azure service keys and sensitive data of other customers. These areas of the service only have application-level separation and lack sandbox or hypervisor-level isolation,” Orca says.
The company added, “Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”
Microsoft says its analysis of the vulnerability hasn’t revealed any cases of abuse, other than the unauthorized access Orca’s researchers obtained during their investigation.
While Azure Data Factory or Azure Synapse pipeline customers who self-host IR (SHIR) but don’t have auto-updates enabled need to update to version 5.17.8154.2, no action is required from customers hosted in the cloud or on-premises with auto-updates enabled.