7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
Microsoft has incorporated additional improvements to address the recently disclosed SynLapse security vulnerability in order to meet comprehensive tenant isolation requirements in Azure Data Factory and Azure Synapse Pipelines.
The latest safeguards include moving the shared integration runtimes to sandboxed ephemeral instances and using scoped tokens to prevent adversaries from using a client certificate to access other tenantsβ information.
βThis means that if an attacker could execute code on the integration runtime, it is never shared between two different tenants, so no sensitive data is in danger,β Orca Security said in a technical report detailing the flaw.
In a statement shared with The Hacker News regarding the protections deployed, Microsoft said it fully mitigated different attack paths to the vulnerability across all integration runtime types.
The tech giant stated that it βcontained and closely monitored the backend certificate for adversary activity and pivots, before rotation and revocation,β and that it βadded additional defense in depth to backend APIβs by moving to using activity isolated time-bound tokens instead of certificate.β
The high-severity issue, tracked as CVE-2022-29972 (CVSS score: 7.8) and disclosed early last month, could have allowed an attacker to perform remote command execution and gain access to another Azure clientβs cloud environment.
Originally reported by the cloud security company on January 4, 2022, SynLapse wasnβt fully patched until April 15, a little over 120 days after initial disclosure and two earlier fixes deployed by Microsoft were found to be easily bypassed.
βSynLapse enabled attackers to access Synapse resources belonging to other customers via an internal Azure API server managing the integration runtimes,β the researchers said.
Besides permitting an attacker to obtain credentials to other Azure Synapse customer accounts, the flaw made it possible to sidestep tenant separation and execute code on targeted customer machines as well as control Synapse workspaces and leak sensitive data to other external sources.
At its core, the issue relates to a case of command injection found in the Magnitude Simba Amazon Redshift ODBC connector used in Azure Synapse Pipelines that could be exploited to achieve code execution a userβs integration runtime, or on the shared integration runtime.
With these capabilities in hand, an attacker could have proceeded to dump the memory of the process that handles external connections, thereby leaking credentials to databases, servers, and other Azure services.
Even more concerningly, a client certificate contained in the shared integration runtime and used for authentication to an internal management server could have been weaponized to access information pertaining to other customer accounts.
In stringing together the remote code execution bug and access to the control server certificate, the issue effectively opened the door to code execution on any integration runtime without knowing anything but the name of a Synapse workspace.
βIt is worth noting that the major security flaw wasnβt so much the ability to execute code in a shared environment but rather the implications of such code execution,β security researcher Tzah Pahima noted.
βMore specifically, executing code on the shared integration runtime exposed a client certificate to a powerful, internal API server. This enabled an attacker to compromise the service and access other customersβ resources.β
Update: The disclosure about delayed patching of the critical SynLapse flaw comes as cybersecurity firm Tenable called out Microsoft for its lack of transparency and silently fixing one of the two serious issues it reported in the Azure Synapse service on March 10, 2022.
βThese flaws allow a user to escalate privileges to that of the root user within the underlying Apache Spark virtual machines, or to poison the hosts file of all nodes in an Apache Spark pool,β the company said.
βThe keys, secrets and services accessible via these vulnerabilities have traditionally allowed further lateral movement and compromise of Microsoft-owned infrastructure, which could potentially lead to a compromise of other customersβ data.β
The privilege escalation vulnerability has since been addressed as early as April 30, 2022. The hosts file poisoning attack, however, remains unpatched as yet.
βWithout timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack β¦ or if they fell victim to attack prior to a vulnerability being patched,β Tenable CEO Amit Yoran said.
βAnd not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.β
βWe addressed the issues that Tenable reported to us and no customer action is required,β a Microsoft spokesperson told The Hacker News. βMicrosoftβs policy for CVEβs, in alignment with the CVE issuance guidance, is to assign a CVE number if and when customer action is necessary.β
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C