Microsoft has incorporated additional enhancements to address the recently disclosed SynLapse security vulnerability to address comprehensive tenant isolation requirements in Azure Data Factory and Azure Synapse Pipelines.
Latest protections include moving Shared Integration Runtimes to ephemeral sandboxed instances and using extended tokens to prevent adversaries from using a client certificate to access information from other tenants.
“This means that if an attacker could run code on the integration runtime, it is never shared between two different tenants, so no sensitive data is at risk,” Orca Security said in a technical report detailing the issue. fault.
In a statement shared with The Hacker News regarding the protections deployed, Microsoft said it has fully mitigated the different attack paths to the vulnerability across all types of onboarding execution.
The tech giant said it “contains and closely monitors the backend certificate for opponent activity and pivots, prior to rotation and revocation”, and “adds additional defense in depth backend APIs by switching to using activity-isolated time-bound tokens instead of certificates.”
The high-severity issue, tracked as CVE-2022-29972 (CVSS score: 7.8) and disclosed early last month, could have allowed an attacker to execute a remote command and gain access to the environment cloud from another Azure customer.
Originally reported by the cloud security firm on January 4, 2022, SynLapse wasn’t fully patched until April 15, just over 120 days after the initial disclosure and two earlier patches deployed by Microsoft were found to be easily bypassable.
“SynLapse allowed attackers to access Synapse resources owned by other customers through an internal Azure API server managing integration runtimes,” the researchers said.
In addition to allowing an attacker to obtain credentials for other Azure Synapse customer accounts, the flaw allowed bypassing tenant separation and executing code on targeted client machines, as well as controlling Synapse workspaces and to disclose sensitive data to other external sources.
At its core, the issue involves a case of command injection found in the Magnitude Simba Amazon Redshift ODBC connector used in Azure Synapse Pipelines that could be exploited to achieve code execution in a user’s integration runtime or on the shared integration runtime.
With these capabilities in hand, an attacker could have dumped the memory of the process that handles external connections, thereby leaking credentials to databases, servers, and other Azure services.
More worryingly, a client certificate contained in the shared integration runtime and used for authentication to an internal management server could have been used as a weapon to access information about other client accounts.
By linking the remote code execution bug and control server certificate access, the problem effectively opened the door to code execution on any integration runtime without knowing anything else as the name of a Synapse workspace.
“It should be noted that the primary security flaw was not so much the ability to run code in a shared environment as the implications of such code execution,” noted security researcher Tzah Pahima.
“Specifically, running code on the Shared Integration Runtime exposed a client certificate to a powerful internal API server. This allowed an attacker to compromise the service and gain access to resources from other clients. .”
Update: The disclosure of the delayed fix for the critical Synapse flaw comes as cybersecurity firm Tenable called out Microsoft for its lack of transparency and silent resolution of one of two serious issues it reported in the Azure Synapse service. on March 10, 2022.
“These flaws allow a user to elevate privileges to those of the root user in the underlying Apache Spark virtual machines, or poison the hosts file of all nodes in an Apache Spark pool,” said the society.
“The keys, secrets, and services accessed through these vulnerabilities have traditionally allowed further lateral movement and compromise of Microsoft-owned infrastructure, which could potentially lead to compromise of other customers’ data.”
The privilege escalation vulnerability has since been patched as early as April 30, 2022. The host file poisoning attack, however, has not yet been patched.
“Without timely and detailed disclosures, customers have no idea if they were or are vulnerable to an attack…or if they experienced an attack before a vulnerability was patched,” said Tenable CEO Amit Yoran.
“And failing to notify customers denies them the ability to seek evidence that they have or have not been compromised, a totally irresponsible policy.”
“We have resolved the issues Tenable has brought to our attention and no customer action is required,” a Microsoft spokesperson told The Hacker News. “Microsoft’s policy for CVEs, in accordance with the CVE Issuance Guidelines, is to assign a CVE number if and when customer action is required.”