Microsoft has released security updates to address a security flaw affecting Azure Synapse and Azure Data Factory pipelines that could let attackers execute remote commands across Integration Runtime infrastructure.
The Integration Runtime (IR) compute infrastructure is used by Azure Synapse and Azure Data Factory pipelines to provide data integration capabilities across network environments (e.g., data flow, activity dispatch, SQL Server Integration Services (SSIS) package execution).
The vulnerability (tracked as CVE-2022-29972 and dubbed SynLapse by Orca Security Tzah Pahima) was mitigated on April 15, with no evidence of exploitation before fixes were released.
According to Pahima’s findings, attackers can exploit this bug to access and control other customers’ Synapse workspaces, allowing them to leak sensitive data including Azure’s service keys, API tokens, and passwords to other services.
“The vulnerability was found in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory,” Microsoft explained in a security advisory published today.
“The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant,” the company added in a Microsoft Security Response Center (MSRC) blog post.
Successful exploitation of this ODBC connector for Amazon Redshift flaw could let malicious attackers running jobs in a Synapse pipeline execute remote commands.
In the next attack stage, they could potentially steal the Azure Data Factory service certificate to execute commands in another tenant’s Azure Data Factory Integration Runtimes.
“Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism,” Orca Security’s Avi Shua said.
“Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”
How to mitigate
Microsoft says that customers using Azure cloud (Azure Integration Runtime) or who host their own on-premises (Self-Hosted Integration Runtime) with auto-updates turned on don’t need to take any further action to mitigate this flaw.
Self-host IR customers who don’t have auto-update toggled on were already notified to safeguard their deployments via Azure Service Health Alerts (ID: MLC3-LD0).
The company advises them to update their self-hosted IRs to the latest version (5.17.8154.2) available on Microsoft’s Download Center.
These updates can be installed on 64-bit systems with .NET Framework 4.7.2 or above running client and server platforms, including the latest releases (Windows 11 and Windows Server 2022).
“For additional protection, Microsoft recommends configuring Synapse workspaces with a Managed Virtual Network which provides better compute and network isolation,” Redmond added.
“Customers using Azure Data Factory can enable Azure integration runtimes with a Managed Virtual Network.”
You can find further information on how to fully mitigate CVE-2022-299 in the “Customer Recommendations and Additional Support” section of MSRC’s blog post.
“Unfortunately, our research leads us to believe that the underlying architectural weakness is still present. There are areas in the service where a huge amount of Microsoft and 3rd party code, runs with SYSTEM permissions, processing customer controlled input,” Shua added.
“This runs on shared machines with access to Azure service keys and sensitive data of other customers. These areas of the service only have application-level separation and lack sandbox or hypervisor-level isolation. This is a major attack surface and not consistent with the level of security that public cloud customers expect.”
Disclosure timeline:
- January 4 – Orca reported the issue to Microsoft
- March 2 – Microsoft completed rollout of initial hotfix
- March 11 – Microsoft identified and notified the customer affected by the researcher’s activity
- March 30 – Orca notified Microsoft of an additional attack path to the same vulnerability
- April 13 – Orca notified Microsoft of a second attack path to the same vulnerability
- April 15 – Additional fixes deployed for the two newly reported attack paths as well as additional defense in depth measures applied
In March, Microsoft said it fixed another Azure security vulnerability in December (also reported by Orca Security) that enabled attackers to take complete control over other Azure customers’ data by abusing an Azure Automation service bug dubbed AutoWarp.
Last month, the company addressed a chain of critical bugs reported by cloud security firm Wiz in the Azure Database for PostgreSQL Flexible Server (known as ExtraReplica) that let malicious users gain access to other customers’ databases after bypassing authentication.
Other Microsoft Azure flaws fixed by Redmond during the last year also include ones Wiz researchers found in Azure Cosmos DB, the Open Management Infrastructure (OMI) software agent, and the Azure App Service.