A security researcher at Orca Security has discovered SynLapse vulnerability, tracked as CVE-2022-29972, was discovered during beginning of 2022 year and the same already been discussed in our blog a month back.
Microsoft took nearly 3 months to publish mitigations and recommendations. Orca Security waited for more than a month to reveal the details to allow users to patch their on-premises versions and reconsider their Azure Synapse usage.
The SynLapse vulnerability has a CVSS score of 7.8, allowing attackers to bypass tenant separation while including the ability to:
- Obtain credentials to other Azure Synapse customer accounts.
- Control their Azure Synapse workspaces.
- Execute code on targeted customer machines inside the Azure Synapse Analytics service.
- Leak customer credentials to data sources external to Azure.
The vulnerability is related to a case of command injection in the Magnitude Simba Amazon Redshift ODBC connector found in Aure Synapse Pipelines. When exploited, it allows an attacker to execute codes in a user’s integration runtime or on the shared integration runtime.
It allowed attackers to access Synapse resources that belong to other customers by using an internal Azure API server managing the integration runtimes. By only knowing the name of a workspace, the attacker could be able to:
- Gain authorization inside other customer accounts while acting as their Synapse workspace.
- Leak credentials customers stored in their Synapse workspace.
- Communicate with other customers’ integration runtimes. It’s possible to leverage this to execute RCE on any customer’s integration runtimes.
- Take control of the Azure batch pool managing all of the shared integration runtimes. It is possible to run code on every instance.
The following Redshift drivers are impacted:
- From 1.4.14 to and including 18.104.22.1681
- From 1.4.22 to and excluding 1.4.52
Microsoft also provided security updates to further address this issue. Those operating via an Azure IR, or self-hosted integration runtime (SHIR) with auto updates enabled have no actions required. Those that are operating a SHIR without auto-updates should have been contacted by Microsoft and have been urged to update the SHIR’s to the latest version (5.17.8154.2)
Microsoft conducted a detailed internal investigation and found no cases of abuse or exploitation in the wild.