BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News SynLapse: Orca Security Publishes Details for Critical Azure Synapse Vulnerability

SynLapse: Orca Security Publishes Details for Critical Azure Synapse Vulnerability

In a recent article, Orca Security describes the technical details of SynLapse, a critical Synapse Analytics vulnerability in Azure that allowed attackers to bypass tenant separation. The issue has now been addressed, but the timing and the disclosure process have raised concerns in the community.

SynLapse allowed an attacker to perform remote command execution across Azure Data Factory Integration Runtime infrastructure not limited to a single tenant. Leveraging a Synapse Analytics vulnerability, attackers could obtain credentials to other Synapse accounts, control their workspaces, execute code on targeted customer machines inside the Synapse Analytics service and leak credentials to data sources external to Azure.

The security company shared the vulnerability with the Microsoft Security Response Center (MSRC) on January 4th, released partial information in May, but waited to publish the full details in order to give Synapse customers time to patch their on-premises versions and allow Microsoft to implement further mitigations. Two earlier fixes by the cloud provider were initially bypassed by Orca Security.

Source: https://orca.security/resources/blog/synlapse-critical-azure-synapse-analytics-service-vulnerability/

Tzah Pahima, cloud vulnerability researcher at Orca security, explains how he discovered the problem:

Researching self-hosted (on-premise) integration runtimes, I found a shell injection vulnerability that leads to an RCE (CVE-2022-29972) in the Magnitude Simba Redshift ODBC connector used by Microsoft’s software.

Pahlma started a popular thread on Twitter to describe how he was able to break into the service:

I was able to access thousands of companies’ passwords on Azure and run code on their VMs. This includes access to Microsoft’s own credentials.

Microsoft addressed the vulnerability and achieved tenant isolation in Azure Synapse Pipelines and Azure Data Factory using ephemeral nodes and low-privileged API tokens for the Synapse Integration Runtime. Pahlma adds:

It is worth noting that the major security flaw wasn’t so much the ability to execute code in a shared environment, but rather the implications of such code execution. More specifically, executing code on the shared integration runtime exposed a client certificate to a powerful, internal API server. This enabled an attacker to compromise the service and access other customers’ resources.

The cloud provider acknowledges Orca Security for reporting the vulnerability, awarded a $60,000 USD bounty, an amount that many developers find too low, but claims that no data has been compromised:

Microsoft has conducted a detailed internal investigation to identify any cases of abuse. The only activity identified was performed by Orca Security, who reported the vulnerability. Our investigation found no evidence of misuse or malicious activity. The vulnerability was mitigated on April 15, 2022.

Corey Quinn, chief cloud economist at The Duckbill Group, writes:

This is not a story about an Azure security failure. This is a story about a complete lack of security culture apparent anywhere in this story. If I were an Azure customer, I would seek to change that immediately after reading Orca Security's blog post.

Tenable Research reported separately two flaws in the underlying infrastructure of Synapse Analytics in March and questions Microsoft's disclosure process:

Let’s first address some disclosure woes. When it comes to Synapse Analytics, the MSRC and the development team behind Synapse seem to have a major communications disconnect. It took entirely too much effort to get any sort of meaningful response from our case agent.

SynLapse is not the only cloud vulnerability disclosed this year: Orca Security reported Azure AutoWarp, AWS Superglue, and AWS BreakingFormation. Lightspin found a local file read vulnerability on Amazon RDS, as covered separately on InfoQ,

About the Author

Rate this Article

Adoption
Style

BT