How can we help?
Security researchers at Orca Security have issued a security advisory pointing to weaknesses in Azure Synapse and Azure Data Factory.
Microsoft has fixed a critical RCE vulnerability (CVE-2022-29972) in their own workspace, but Orca say that the ease of exploitation points to architectural weaknesses in Synapse that still need to be addressed.
The vulnerability originated in a third-party Open Database Connectivity (ODBC) driver used by the Integration Runtime (IR) to connect to Amazon Redshift and could have allowed an attacker to execute commands on the cloud infrastructure, and move between tenants. Self-hosted IR users should update immediately.
A malicious user could access user credentials and run code on other customers’ machines.
Self-hosted IRs with a version less than 5.17.8154.2 may still be vulnerable.
Azure Synapse and Azure Data Factory Integration Runtime (IR).
Containment, Mitigations & Remediations
The vulnerability has been patched by Microsoft. Self-hosted IR environments without auto-update will need to manually update to the latest version (5.17.8154.2).
Microsoft also recommends configuring Synapse workspaces with a Managed Virtual Network for additional protection.
Orca Security advises that a more robust tenant separation mechanism is needed on the server and customers should not trust the service with sensitive data until this is fixed.
Microsoft says they are working to ensure “that Cloud processes and workloads, including third-party data connectors, run in a zero-trust architecture that advances cross-tenant isolation.”
Indicators of Compromise
Microsoft has investigated and found that the only related activity came from the security researchers who reported the bug.
T1190 – Exploit Public-Facing Application