Home / About / Threat Intelligence / Weaknesses in Azure Synapse and Azure Data Factory

Overview

Security researchers at Orca Security have issued a security advisory pointing to weaknesses in Azure Synapse and Azure Data Factory.

Microsoft has fixed a critical RCE vulnerability (CVE-2022-29972) in their own workspace, but Orca say that the ease of exploitation points to architectural weaknesses in Synapse that still need to be addressed.

The vulnerability originated in a third-party Open Database Connectivity (ODBC) driver used by the Integration Runtime (IR) to connect to Amazon Redshift and could have allowed an attacker to execute commands on the cloud infrastructure, and move between tenants. Self-hosted IR users should update immediately.

Impact

A malicious user could access user credentials and run code on other customers’ machines.

Vulnerability Detection

Self-hosted IRs with a version less than 5.17.8154.2 may still be vulnerable.

Affected Products

Azure Synapse and Azure Data Factory Integration Runtime (IR).

Containment, Mitigations & Remediations

The vulnerability has been patched by Microsoft. Self-hosted IR environments without auto-update will need to manually update to the latest version (5.17.8154.2).

Microsoft also recommends configuring Synapse workspaces with a Managed Virtual Network for additional protection.

Orca Security advises that a more robust tenant separation mechanism is needed on the server and customers should not trust the service with sensitive data until this is fixed.

Microsoft says they are working to ensure “that Cloud processes and workloads, including third-party data connectors, run in a zero-trust architecture that advances cross-tenant isolation.”

Indicators of Compromise

None listed.

Threat Landscape

Microsoft has investigated and found that the only related activity came from the security researchers who reported the bug.

Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

Security Advisory: Insufficient Tenant Separation in Azure Synapse Service

Tzah Pahima on Twitter

Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972)