Microsoft has incorporated additional improvements to address the recently disclosed SynLapse security vulnerability, in order to meet comprehensive tenant isolation requirements in Azure Data Factory and Azure Synapse Pipelines. The latest safeguards include moving the shared integration runtimes to sandboxed ephemeral instances and using scoped tokens to prevent adversaries from using a client certificate to access other tenants' information.
So, if an attacker could execute code on the integration runtime, it's never shared between two different tenants, which means that no sensitive data is in danger, according to Orca Security in a technical report detailing the flaw. Besides permitting an attacker to obtain credentials to other Azure Synapse customer accounts, the flaw made it possible to sidestep tenant separation and execute code on targeted customer machines as well as control Synapse workspaces and leak sensitive data to other external sources. "At its core, the issue relates to a case of command injection found in the Magnitude Simba Amazon Redshift ODBC connector used in Azure Synapse Pipelines that could be exploited to achieve code execution a user's integration runtime, or on the shared integration runtime.”
The high-severity issue, tracked as CVE-2022-29972 (CVSS score: 7.8) and disclosed early last month, could have allowed an attacker to perform remote command execution and gain access to another Azure client's cloud environment. Originally reported by the cloud security company on January 4, 2022, SynLapse wasn't fully patched until April 15, a little over 120 days after initial disclosure and two earlier fixes deployed by Microsoft were found to be easily bypassed.
To fix the root cause, Microsoft needed to implement a few mitigations, mainly:
- A sandbox – Move the shared integration runtime to a sandboxed ephemeral VM. This means that if an attacker could execute code on the integration runtime, it is never shared between two different tenants, so no sensitive data is in danger.
- Limit API access – Implement least privilege access to the internal management server, this will prevent attackers from using the certificate to access other tenants’ information. At the beginning of June Microsoft shared with us that they have implemented all recommendations and Synapse Integration Runtime is now using ephemeral nodes and scoped low-privileged API tokens.
In light of this information, it seems that Azure Synapse Analytics provides sufficient tenant isolation. As such, alerting on Synapse has been removed from within the Orca Cloud Security Platform. Microsoft continues to work on additional isolation and hardening.
SynLapse, and previous critical cloud vulnerabilities such as Azure AutoWarp, AWS Superglue and AWS BreakingFormation show that nothing is bulletproof and there are numerous ways attackers can reach your cloud environment. That’s why it’s important to have complete visibility into your cloud estate including the most critical attack paths.