The vulnerability was discovered by researchers from Orca Security and resides in a third-party driver used in the above solution.
“The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole.” reads the advisory published by Microsoft. “The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.”
A threat actor can exploit this flaw to acquire the Azure Data Factory service certificate and execute commands in another tenant’s Azure Data Factory Integration Runtimes.
Researchers at Orca Security speculate that the tenant separation is not sufficiently robust to prevent users from accessing sensitive data of other tenants, including Azure’s service keys, API tokens, and passwords to other services.
Experts discovered the SynLapse issue in January 4 and fixed it on April 15, below is video PoC of the exploitation of the issue. The video shows a “customer” uses Azure Synapse Analytics to store credentials to an external service (HTTP server in this example) and the attacker exploring the issue to access these credentials while executing code on the customer’s machine.
“We are going to hold off on publishing technical details of the exploits we have found until June 14, for two reasons. First, the vulnerabilities are also present in the on-premises version of Synapse, and this will provide Microsoft’s customers some additional time to deploy and remediate the existing mitigations in their on-premises environments.” wrote Orca Security.”Second, we believe that the technical details of the exploit will make it easier for attackers to find more open attack vectors, and the delay will allow time for organizations to reconsider their usage of Synapse.”
Below is the timeline for this vulnerability:
Microsoft said that it has found no evidence of attacks exploiting this flaw in the wild..
Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform
(SecurityAffairs – hacking, Microsoft)