• Latest
  • Trending
Microsoft releases fixes for Azure flaw allowing RCE attacks

Microsoft releases fixes for Azure flaw allowing RCE attacks

May 10, 2022
Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023
Co-Creation Hub’s edtech accelerator puts $15M towards African startups

Co-Creation Hub’s edtech accelerator puts $15M towards African startups

February 20, 2023
Data Leak Hits Thousands of NHS Workers

Data Leak Hits Thousands of NHS Workers

February 20, 2023
EU Cybersecurity Agency Warns Against Chinese APTs

EU Cybersecurity Agency Warns Against Chinese APTs

February 20, 2023
How Your Storage System Will Still Be Viable in 5 Years’ Time?

How Your Storage System Will Still Be Viable in 5 Years’ Time?

February 20, 2023
The Broken Promises From Cybersecurity Vendors

Cloud Infrastructure Used By WIP26 For Espionage Attacks on Telcos

February 20, 2023
Instagram and Facebook to get paid-for verification

Instagram and Facebook to get paid-for verification

February 20, 2023
YouTube CEO Susan Wojcicki steps down after nine years

YouTube CEO Susan Wojcicki steps down after nine years

February 20, 2023
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Saturday, 18 July, 2026
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Microsoft releases fixes for Azure flaw allowing RCE attacks

by ITECHNEWS
May 10, 2022
in Infosec, Leading Stories
0 0
0
Microsoft releases fixes for Azure flaw allowing RCE attacks

Microsoft has released security updates to address a security flaw affecting Azure Synapse and Azure Data Factory pipelines that could let attackers execute remote commands across Integration Runtime infrastructure.

The Integration Runtime (IR) compute infrastructure is used by Azure Synapse and Azure Data Factory pipelines to provide data integration capabilities across network environments (e.g., data flow, activity dispatch, SQL Server Integration Services (SSIS) package execution).

YOU MAY ALSO LIKE

French Telco Orange Hit by Cyber-Attack

ATC Ghana supports Girls-In-ICT Program

The vulnerability (tracked as CVE-2022-29972 and dubbed SynLapse by Orca Security Tzah Pahima) was mitigated on April 15, with no evidence of exploitation before fixes were released.

According to Pahima’s findings, attackers can exploit this bug to access and control other customers’ Synapse workspaces, allowing them to leak sensitive data including Azure’s service keys, API tokens, and passwords to other services.

“The vulnerability was found in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory,” Microsoft explained in a security advisory published today.

“The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant,” the company added in a Microsoft Security Response Center (MSRC) blog post.

Successful exploitation of this ODBC connector for Amazon Redshift flaw could let malicious attackers running jobs in a Synapse pipeline execute remote commands.

In the next attack stage, they could potentially steal the Azure Data Factory service certificate to execute commands in another tenant’s Azure Data Factory Integration Runtimes.

“Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism,” Orca Security’s Avi Shua said.

“Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”

How to mitigate

Microsoft says that customers using Azure cloud (Azure Integration Runtime) or who host their own on-premises (Self-Hosted Integration Runtime) with auto-updates turned on don’t need to take any further action to mitigate this flaw.

Self-host IR customers who don’t have auto-update toggled on were already notified to safeguard their deployments via Azure Service Health Alerts (ID: MLC3-LD0).

The company advises them to update their self-hosted IRs to the latest version (5.17.8154.2) available on Microsoft’s Download Center.

These updates can be installed on 64-bit systems with .NET Framework 4.7.2 or above running client and server platforms, including the latest releases (Windows 11 and Windows Server 2022).

“For additional protection, Microsoft recommends configuring Synapse workspaces with a Managed Virtual Network which provides better compute and network isolation,” Redmond added.

“Customers using Azure Data Factory can enable Azure integration runtimes with a Managed Virtual Network.”

You can find further information on how to fully mitigate CVE-2022-299 in the “Customer Recommendations and Additional Support” section of MSRC’s blog post.

“Unfortunately, our research leads us to believe that the underlying architectural weakness is still present. There are areas in the service where a huge amount of Microsoft and 3rd party code, runs with SYSTEM permissions, processing customer controlled input,” Shua added.

“This runs on shared machines with access to Azure service keys and sensitive data of other customers. These areas of the service only have application-level separation and lack sandbox or hypervisor-level isolation. This is a major attack surface and not consistent with the level of security that public cloud customers expect.”

Disclosure timeline:

  • January 4 – Orca reported the issue to Microsoft
  • March 2 – Microsoft completed rollout of initial hotfix
  • March 11 – Microsoft identified and notified the customer affected by the researcher’s activity
  • March 30 – Orca notified Microsoft of an additional attack path to the same vulnerability
  • April 13 – Orca notified Microsoft of a second attack path to the same vulnerability
  • April 15 – Additional fixes deployed for the two newly reported attack paths as well as additional defense in depth measures applied

In March, Microsoft said it fixed another Azure security vulnerability in December (also reported by Orca Security) that enabled attackers to take complete control over other Azure customers’ data by abusing an Azure Automation service bug dubbed AutoWarp.

Last month, the company addressed a chain of critical bugs reported by cloud security firm Wiz in the Azure Database for PostgreSQL Flexible Server (known as ExtraReplica) that let malicious users gain access to other customers’ databases after bypassing authentication.

Other Microsoft Azure flaws fixed by Redmond during the last year also include ones Wiz researchers found in Azure Cosmos DB, the Open Management Infrastructure (OMI) software agent, and the Azure App Service.

Source: Sergiu Gatlan
Via: bleepingcomputer
Tags: Microsoft releases fixes for Azure flaw allowing RCE attacks
ShareTweet

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025

Recent News

  • Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa July 29, 2025
  • French Telco Orange Hit by Cyber-Attack July 29, 2025
  • ATC Ghana supports Girls-In-ICT Program April 25, 2023
  • Vice President Dr. Bawumia inaugurates ICT Hub April 2, 2023
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version