Microsoft resolves critical vulnerability in Azure Synapse after prior patches fall short

Dive Brief:

Microsoft appears to have fully mitigated a critical vulnerability in Azure Synapse disclosed in early January by Orca Security. Since that initial disclosure, researchers have twice been able to bypass two patches from Microsoft, before the company implemented last minute recommendations designed to protect customer data.
The vulnerability, dubbed SynLapse by Orca Security researchers, allowed attackers to steal credentials, execute code on targeted machines in the Azure Synapse Analytics service and gain control over the workspaces of other Azure Synapse customers. The vulnerability also impacted Azure Data Factory.
Azure Synapse Analytics collects data from various sources, including CosmosDB, Azure Data Lake as well as external providers like Amazon S3.

Dive Insight:

The vulnerability is the latest in a string of security issues for Microsoft in recent years, at a time when the company has touted its cloud services as the best way to protect customer data. Microsoft has come under criticism from security researchers about its response time on security issues, as well as transparency with customers.

The company published an extensive blog on the vulnerability on May 9, after it conducted what it called a detailed internal investigation into whether there were any cases of abuse stemming from SynLapse.

In the post, Microsoft said it found no evidence of misuse or malicious activity and claimed the vulnerability was fully mitigated by April 15th. Microsoft said no action was needed by Azure Data Factory or Azure Synapse pipeline customers if they were hosted in the cloud (Azure Integration Runtime) or hosted on-premises with auto-updates turned on.

Microsoft said the vulnerability was specific to an Open Database Connectivity driver used to connect to Amazon Redshift in Amazon Synapse pipelines and Azure Data Factory Integration Runtime. Microsoft said the vulnerability didn’t impact Azure Synapse as a whole.

The company worked closely with Orca Security researchers to fix the vulnerability. But even after the second patch researchers could still access the environments of other tenants.

“The integration issue in the service is not secure enough in that it doesn’t follow the standard best practices of running a few tenants together in a shared cloud environment,” Avi Shua, co-founder and CEO at Orca Security.

Researchers suggested Microsoft move the integration runtime to a sandboxed ephemeral virtual machine (VM). That way if the attacker executed code it was no longer shared between two tenants. They also suggested Microsoft implement least privilege access to the internal management server.

An Orca spokesperson said the company has not yet had time to validate the new patches, but added Microsoft informed it all the changes had been implemented.

The disclosure comes just a day after Microsoft was called out by Tenable’s CEO Amit Yoran for failing to adequately disclose vulnerabilities to customers and respond to researchers in a timely manner.

“Being one of the largest software companies in the world will come with a massive spotlight,” Erik Nost, senior analyst at Forrester, said via email. “Microsoft and security practitioners also need to weigh the impact of disclosing vulnerabilities to the world, which includes adversaries and bad guys.”