{"id":36688,"date":"2022-06-14T10:31:00","date_gmt":"2022-06-14T10:31:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36688"},"modified":"2022-06-14T10:31:00","modified_gmt":"2022-06-14T10:31:00","slug":"ms-azure-synapse-vulnerability-fixed-after-six-month-slog","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36688","title":{"rendered":"MS Azure Synapse vulnerability fixed after six-month slog"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2022\/06\/ms-azure-synapse-vulnerability-fixed-after-six-month-slog.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Ethical hackers at <a href=\"https:\/\/orca.security\/\">Orca Security<\/a> have added their voices to a growing number of concerns in the community over how tech companies go about fixing responsibly disclosed vulnerabilities in a timely manner, after going public with a critical shell injection vulnerability leading to remote code execution (RCE) in <a href=\"https:\/\/www.techtarget.com\/searchbusinessanalytics\/news\/252493131\/Microsofts-Azure-Synapse-Analytics-now-generally-available\">Microsoft Azure Synapse<\/a> \u2013 tracked as CVE-2022-29972 \u2013 that has taken the best part of six months to get on top of.<\/p>\n<p>The Azure Synapse Analytics service imports and processes data from other sources, such as Azure Data Lake, Amazon S3 or CosmosDB, into instances or workspaces that connect out to the data source via an integration runtime, which can be hosted either on-premise or in the Azure Cloud.<\/p>\n<p>CVE-2022-29972, dubbed SynLapse, affected Synapse Analytics in Azure and Azure Data Factory. If successfully exploited, it would have enabled attackers to bypass tenant separation and obtain credentials to other Azure Synapse accounts, control their Azure Synapse workspaces, execute code on targeted machines, and leak customer credentials.<\/p>\n<p>What is more, said Orca researcher <a href=\"https:\/\/twitter.com\/tzahpahima?lang=en\">Tzah Pahima<\/a>, an attacker would have been able to accomplish all this <a href=\"https:\/\/vimeo.com\/26made\/review\/697795723\/39bc9d9948\">while knowing nothing more than the name of an Azure Synapse workspace<\/a>.<\/p>\n<p>Pahima and Orca have raised concerns because despite first approaching Microsoft on 4 January 2022, a fix has taken more than 100 days to materialise.<\/p>\n<p>According to Orca\u2019s timeline, the team waited over a month from disclosure to the Microsoft Security Research Centre (MSRC) until Microsoft requested additional details to aid its investigation on 19 February, and again on 4 March. It then took until the end of March to deploy an initial patch, which Orca claims it bypassed on 30 March.<\/p>\n<p>On 4 April \u2013 90 days after disclosure \u2013 it again notified Microsoft that the vulnerability still existed, and after a series of meetings between the two organisations, a replacement patch dropped on 7 April. The Orca team bypassed it three days later, on 10 April. On 15 April, a third patch was deployed, which fixed the RCE and reported attack vectors.<\/p>\n<p>In a coordinated disclosure, <a href=\"https:\/\/orca.security\/resources\/blog\/azure-synapse-analytics-security-advisory\/\">Orca<\/a> and <a href=\"https:\/\/msrc-blog.microsoft.com\/2022\/05\/09\/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\/\">MSRC<\/a> went public with SynLapse on 9 May, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-releases-fixes-for-azure-flaw-allowing-rce-attacks\/\">as reported at the time<\/a>, although held off from disclosing technical details to give users time to patch. It is important to note that there is no evidence the vulnerability was ever exploited in the wild.<\/p>\n<p>But the story did not end there, and at the end of May, Microsoft deployed a more consistent fix for the problem and implemented a number of recommendations that Pahima made during the process \u2013 including implementing least privilege access to internal management servers, and moving the shared integration runtime to a sandboxed ephemeral virtual machine (VM), meaning that even if an attacker was able to run code on the integration runtime, the code could never be shared between different Azure tenants.<\/p>\n<p>\u201cIn the light of this information, we now believe that Azure Synapse Analytics provides sufficient tenant isolation,\u201d said Pahima. \u201cAs such, we have removed alerting on Synapse from within the Orca Cloud Security Platform. Microsoft continues to work on additional isolation and hardening.<\/p>\n<p>\u201cSynLapse, and previous critical cloud vulnerabilities such as&nbsp;<a href=\"https:\/\/orca.security\/resources\/blog\/autowarp-microsoft-azure-automation-service-vulnerability\/\">Azure AutoWarp<\/a>,&nbsp;<a href=\"https:\/\/orca.security\/resources\/blog\/aws-glue-vulnerability\/\">AWS Superglue<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/orca.security\/resources\/blog\/aws-cloudformation-vulnerability\/\">AWS BreakingFormation<\/a>, show that nothing is bulletproof and there are numerous ways attackers can reach your cloud environment. That is why it is important to have complete visibility into your cloud estate, including the most critical attack paths.\u201d<\/p>\n<p>Despite the fraught experience, Pahima said there were no hard feelings between the two, although clearly there are lessons to be learned.<\/p>\n<p>\u201cDuring this process, we worked with a number of different groups within Microsoft,\u201d he said. \u201cMicrosoft was a great partner in working to resolve SynLapse and we appreciate their collaborative spirit, transparency, and dedication to helping make the cloud more secure for our joint customers.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ethical hackers at Orca Security have added their voices to a growing number of concerns in the community over how tech companies go about fixing responsibly disclosed vulnerabilities in a timely manner, after going public with a critical shell injection vulnerability leading to remote code execution (RCE) in Microsoft Azure Synapse \u2013 tracked as CVE-2022-29972 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":36689,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36688","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36688"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36688\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36689"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36688"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36688"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}