Orca Security criticizes the slow reaction from Microsoft in fixing the SynLapse vulnerability, which was only closed after 100 days. Further isolation and hardening for better cloud security is recommended.
Although SynLapse (CVE-2022-29972) is a Critical vulnerability, it has taken Microsoft over 100 days to complete the necessary steps to resolve the vulnerability.
100 days open vulnerability
After Microsoft was informed about the SynLapse vulnerability on January 4th and after several follow-ups, the first patch was only provided in March, which Orca Security was able to bypass. Microsoft finally fixed the original vulnerability on April 10, but Orca Security believes that the underlying problem of infrastructure-level tenant segregation has been exploited for too long.
SynLapse - Technical details of the critical vulnerability in Azure Synapse
An attack vector is now finally closed, additional hardening is recommended. Orca Security's latest blog describes the technical details of SynLapse, as a continuation of the previous blog. Orca has delayed the release until now to give Synapse customers time to patch their on-premises versions and reconsider their use of Azure Synapse. MSRC has made several improvements and continues to work towards comprehensive tenant isolation.
Tzah Pahima, a researcher at Orca Security, is credited with discovering SynLapse - a critical vulnerability in Microsoft Azure Synapse Analytics that also affected Azure Data Factory. It allowed attackers to bypass tenant separation while gaining the ability to:
- Obtain credentials for other Azure Synapse customer accounts.
- Control over their Azure Synapse workspaces.
- Run code on targeted customer machines within the Azure Synapse Analytics service.
- Disclosure of customer credentials to data sources outside of Azure.
An attacker who only knows the name of an Azure Synapse workspace could, as this video shows, spy on a victim's credentials entered into Synapse in the following way.
What is Azure Synapse Analytics?
Azure Synapse Analytics imports and processes data from many customer data sources (e.g. CosmosDB, Azure Data Lake and external sources like Amazon S3).
Each Synapse instance is called a workspace. To import and process data from an external data source, a customer enters credentials and relevant data, and then connects to that source through an integration runtime — a machine that connects to many different data sources.
Integration runtimes can either be self-hosted (on-premises) or hosted in the Azure cloud (via Azure Data Factory integration runtime). Azure IRs hosted in the cloud can also be configured with a Managed Virtual Network (VNet) to use private endpoints for external connections, which can provide additional layers of isolation.
How critical was SynLapse?
SynLapse allowed attackers to access Synapse resources owned by other customers through an internal Azure API server that manages the integration runtimes. Because the Orca team knew the name of a workspace, they were able to perform the following:
- Obtain authorization within other customer accounts while acting as a Synapse workspace. Depending on the configuration, the team could have accessed even more resources within a customer account.
- Reading credentials that customers have stored in their Synapse workspace.
- Communication with the integration runtimes of other customers. The Orca team was able to use this to run remote code (RCE) on any customer's integration runtimes.
- Control over the Azure batch pool that manages all shared integration runtimes. Orca was able to run code on any instance.
Future mitigation
After discussions with Microsoft, Orca Security now believes that Azure Synapse Analytics is secure and provides adequate tenant isolation. Because of this, Orca has removed the Synapse alerts from the Orca Cloud Security platform. Microsoft continues to work on additional isolation and hardening.
More at Orca.security
About Orca Security Orca Security delivers out-of-the-box security and compliance for AWS, Azure, and GCP—without the gaps in coverage, alert fatigue, and operational costs of agents or sidecars. Simplify cloud security operations with a single CNAPP platform for workload and data protection, cloud security posture management (CSPM), vulnerability management, and compliance. Orca Security prioritizes risks based on security issue severity, accessibility, and business impact.