The Hacker News Reported on June 14, 2022 that Microsoft has incorporated additional improvements to address the recently disclosed Azure SynLapse security vulnerability in order to meet comprehensive tenant isolation requirements in Azure Data Factory and Azure Synapse Pipelines.
The high-severity issue, tracked as CVE-2022-29972 (CVSS score: 7.8) and disclosed early last month, could have allowed an attacker to perform remote command execution and gain access to another Azure client’s cloud environment. Update && Fix Release April 15, 2022
The Detailed Explanation and Time Line is available below.
Originally reported by the cloud security company on January 4, 2022, SynLapse wasn’t fully patched until April 15, a little over 120 days after initial disclosure and two earlier fixes deployed by Microsoft were found to be easily bypassed.
The hack enabled attackers to access Synapse resources belonging to other customers via an internal Azure API server managing the integration runtimes.
Besides permitting an attacker to obtain credentials to other Azure Synapse customer accounts, the flaw made it possible to sidestep tenant separation and execute code on targeted customer machines as well as control Synapse workspaces and leak sensitive data to other external sources.
At its core, the issue relates to a case of command injection found in the Magnitude Simba Amazon Redshift ODBC connector used in Azure Synapse Pipelines that could be exploited to achieve code execution a user’s integration runtime, or on the shared integration runtime.
With these capabilities in hand, an attacker could have proceeded to dump the memory of the process that handles external connections, thereby leaking credentials to databases, servers, and other Azure services.
Even more concerningly, a client certificate contained in the shared integration runtime and used for authentication to an internal management server could be weaponized to access information pertaining to other customer accounts.
In stringing together, the remote code execution bug and access to the control server certificate, the issue effectively opened the door to code execution on any integration runtime without knowing anything but the name of a Synapse workspace.
“It is worth noting that the major security flaw wasn’t so much the ability to execute code in a shared environment but rather the implications of such code execution,”
“More specifically, the fact that given an RCE on the shared integration runtime let us use a client certificate providing access to a powerful, internal API server.”
More Information can be found below: