in a recent articleOrca Security describes the technical details of SynLapse, a synapse analysis Vulnerability in Azure that allowed attackers to bypass tenant separation. The issue is now being addressed, but the timing and disclosure process raised concerns in the community.
SynLapse allowed an attacker to perform remote command execution via Azure Data Factory integration runtime infrastructure not limited to a single tenant. By exploiting a vulnerability in Synapse Analytics, attackers could obtain credentials for other Synapse accounts, take over their workspaces, execute code on targeted client machines within the Synapse Analytics service, and leak credentials to data sources outside of Azure.
The security company shared the vulnerability with the Microsoft Security Response Center (MSRC) on January 4. published partial information in May but waited to publish the full details so that Synapse customers would have time to patch their local builds and allow Microsoft to implement more mitigations. Orca Security initially skipped two previous fixes from the cloud provider.
Tzah Pahimahcloud vulnerability researcher at Orca Security, explains how he discovered the issue:
While investigating self-hosted (on-premises) integration runtimes, I found a shell injection vulnerability leading to an RCE (CVE-2022-29972) in the Magnitude Simba Redshift ODBC connector used by Microsoft software.
Pahlma started a popular thread on twitter to describe how he was able to enter the service:
I was able to access the passwords of thousands of companies in Azure and run code on their virtual machines. This includes access to Microsoft’s own credentials.
Microsoft addressed the vulnerability and achieved tenant isolation in Azure Synapse pipelines Y Azure data factory using ephemeral nodes and low-privileged API tokens for the Synapse Integration Runtime. Pahlma adds:
It’s worth noting that the main security flaw was not so much the ability to run code in a shared environment, but rather the implications of such code execution. More specifically, code execution in the shared integration runtime exposed a client certificate to a powerful internal API server. This allowed an attacker to compromise the service and access the resources of other clients.
Microsoft has conducted a detailed internal investigation to identify any instances of abuse. The only activity identified was by Orca Security, who reported the vulnerability. Our investigation found no evidence of misuse or malicious activity. The vulnerability was mitigated on April 15, 2022.
This is not a story about an Azure security flaw. This is a story about a complete lack of safety culture evident anywhere in this story. If I were an Azure customer, I would look to change that immediately after reading the Orca Security blog post.
Tenable Research separately reported two flaws in the underlying infrastructure of Synapse Analytics in March and questions Microsoft’s disclosure process:
Let’s first tackle some disclosure issues. When it comes to Synapse Analytics, the MSRC and the development team behind Synapse seem to have a huge communications disconnect. It took too much effort to get any kind of meaningful response from our case agent.
SynLapse is not the only cloud vulnerability revealed this year: Orca Security reported Azure AutoWarp, AWS Super GlueY AWS Last Minute Training. Lightspin found a local file read vulnerability in Amazon RDS, as described separately in InfoQ,