This bulletin was written by Eric Dodge of the Kudelski Security Threat Detection & Research Team
Microsoft has recently mitigated a vulnerability that was brought to their attention by researchers at Orca. The vulnerability targets the Azure Data Factory and Azure Synapse pipelines. It is specific to the open database connectivity (ODBC) driver that is used to connect to Amazon Redshift.
SynLapse allows attackers to bypass tenant separation, which in turn can lead to credential access to other Azure Synapse customer accounts, control of the Azure Synapse workspaces, code execution on the targeted machines within the Azure Synapse Analytics service, as well as leaking of credentials to sources outside of Azure.
Microsoft conducted a detailed internal investigation and found no cases of abuse or exploitation in the wild.
CVE-2022-29972 is specific to the Amazon Redshift ODBC connector in use by Azure Data Factory as well as the Azure Synapse Pipelines. This is exclusive to the Synapse pipelines and does not pertain to the rest of Azure Synapse. The integration runtimes using Azure Data Factory or Azure Synapse can be used in on-prem or cloud-based models. The following Redshift drivers are impacted:
- From 1.4.14 to and including 188.8.131.521
- From 1.4.22 to and excluding 1.4.52
The Azure Data Factory is a Microsoft Cloud Extract Transform Load (ETL) service. It enables data integration and transformation. It is available as a standalone or provided via the Azure Synapse pipelines. These are used to create an integration runtime (IR) for data integration across different network environments. These pipelines also support connectors, allowing for data to be integrated across different data stores, which includes third-party products. The IR’s can be hosted in multiple models consisting of Azure IR with managed virtual network, Azure IR without managed virtual network, or self-hosted IR (SHIR).
CVE-2022-29972, a RCE within the Redshift ODBC connector is exploited when setting up an external data source. Deploying ODBC connectors on shared Synapse IR owned by Azure is not allowed for security reasons, but by changing the name of the IR to the Azure default “AutoResolveIntegrationRuntime”, this limitation can be bypassed and thus allowing for the RCE to be active on a shared Synapse IR and shared by multiple customers. This allows for SYSTEM level permissions. Running a dump leads to access to the credentials and tokens, including one for Microsoft’s data analytics service. Note: This has now expired and been revoked per Microsoft.
Utilizing the RCE further can lead to acquisition of certificates for the internal management server and API. The combination of the RCE and API allows for innumerable operations to then be conducted. This could be done on any integration runtime as long as the proper Synapse workspace name is known.
Solution and Mitigations
Microsoft has worked to mitigate and patch this with the following steps:
- Mitigated remote command execution in the impacted driver
- Reduced the job execution privilege in the Azure Integration Runtime
- Added extra validation layers as a defense in depth to harden the service
- Rotated and revoked the backend service certificate and other Microsoft credentials that were accessed by the finder
- Collaborated with the third-party ODBC driver provider on root-cause fixes to the driver used to connect to Amazon Redshift
- Reviewed third-party driver vendor code and ran our security tooling to ensure it meets our security standards
Additionally, they have provided security updates to further address this issue. Those operating via an Azure IR, or self-hosted integration runtime (SHIR) with auto updates enabled have no actions required. Those that are operating a SHIR without auto-updates should have been contacted by Microsoft and have been urged to update the SHIR’s to the latest version (5.17.8154.2)
Microsoft also stated that, for additional protection, usage of a Synapse workspace or Azure Data Factory; in combination with a managed virtual network, is encouraged. To provide better computing and network isolation.
What the Cyber Fusion Center is Doing
The Cyber Fusion Center is aware of this vulnerability and is monitoring via Defender for endpoint, Defender AV, and Sentinel detections provided my Microsoft. Note: Defender AV detections require AV version 1.3636.1065.0 or later. Additionally, the information for the Defender detections is being utilized to perform a threat hunt for exploit activity across other technologies.