Microsoft has addressed a critical RCE flaw, tracked as CVE-2022-29972 and named SynLapse, resides in thrid party driver that used by Azure Synapse and Azure Data Factory discovered by researchers from orca security
This vulnerability was specific to the third-party ODBC driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime and did not impact Azure Synapse on a larger extent. The vulnerability could have allowed an attacker to perform RCE across IR infrastructure not limited to a single tenant.
A threat actor can exploit this flaw to acquire the Azure Data Factory service certificate and execute commands in another tenant’s Azure Data Factory Integration Runtimes.
This has been speculated that the tenant separation is not sufficiently robust to prevent users from accessing sensitive data of other tenants, including Azure’s service keys, API tokens, and passwords to other services.
Experts discovered the SynLapse issue in January 4 and fixed it on April 15. Microsoft also said it didn’t found no evidence of attacks exploiting this flaw in the wild.