Technical details of the SynLapse vulnerability are revealed. The vulnerability was discovered by Tzah Pahima, a security researcher at Orca Security. SynLapse vulnerability, tracked as CVE-2022-29972, was discovered on the 4th of January. It took approximately 3 months for the tech giant to publish mitigations and recommendations. Orca Security waited for more than a month to reveal the details to allow users to patch their on-premises versions and reconsider their Azure Synapse usage.
Technical details
The SynLapse vulnerability has a CVSS score of 7.8, allowing attackers to bypass tenant separation while including the ability to:
- Obtain credentials to other Azure Synapse customer accounts.
- Control their Azure Synapse workspaces.
- Execute code on targeted customer machines inside the Azure Synapse Analytics service.
- Leak customer credentials to data sources external to Azure.
The vulnerability is related to a case of command injection in the Magnitude Simba Amazon Redshift ODBC connector found in Aure Synapse Pipelines. When exploited, it allows an attacker to execute codes in a user’s integration runtime or on the shared integration runtime. It allowed attackers to access Synapse resources that belong to other customers by using an internal Azure API server managing the integration runtimes. By only knowing the name of a workspace, the attacker could be able to:
- Gain authorization inside other customer accounts while acting as their Synapse workspace. We could have accessed even more resources inside a customer’s account depending on the configuration.
- Leak credentials customers stored in their Synapse workspace.
- Communicate with other customers’ integration runtimes. It’s possible to leverage this to run remote code (RCE) on any customer’s integration runtimes.
- Take control of the Azure batch pool managing all of the shared integration runtimes. It is possible to run code on every instance.
Orca Security said,
« At the beginning of June Microsoft shared with us that they have implemented all recommendations and Synapse Integration Runtime is now using ephemeral nodes and scoped low-privileged API tokens.
In light of this information, we now believe that Azure Synapse Analytics provides sufficient tenant isolation. As such, we have removed alerting on Synapse from within the Orca Cloud Security Platform. Microsoft continues to work on additional isolation and hardening. »