Orca Security Discloses How It Breached Azure Synapse Customer Accounts
Orca Security on Tuesday published its findings on a security hole in Azure Synapse, as well as Azure Data Factory, that permitted access to customer tenancy accounts on Microsoft's shared "cloud" infrastructure.
Portland, Ore.-based Orca Security specializes in finding and addressing cloud security issues.
Microsoft acknowledged the security problems with the Azure Synapse service in this May 9 security announcement, and declared them as having been fixed on April 15. However, in the interval before that fix, Orca Security was able to bypass two of Microsoft's earlier attempts to address the underlying problems. All told, it took a good five months from Orca Security's first disclosure of the problems on Jan. 4 for Microsoft to reach a workable problem resolution.
Orca Security researcher Tzah Pahima is credited with the discovery of an exploit that used an integrated runtime component of Azure Synapse (formerly known as "Azure SQL Data Warehouse") to leverage a Microsoft internal API server, which then permitted remote code execution across tenancies. He used the name, "SynLapse," to refer to this research.
Pahima summarized the issue, noting that he was able to access a Synapse client certificate with "full permissions" to Microsoft's internal API server:
It is worth noting that the major security flaw wasn't so much the ability to execute code in a shared environment but rather the implications of such code execution. More specifically, executing code on the shared integration runtime exposed a client certificate to a powerful, internal API server. This enabled an attacker to compromise the service and access other customers' resources.
In the earlier phases of his investigation, Pahima only needed to know the name of an Azure Synapse workspace to conduct an attack. Azure Synapse is used to process data from various sources, and an "Azure Synapse workspace" is Microsoft's term for a Synapse instance used for that purpose, Pahima explained.
While Microsoft did eventually fix that problem, just knowing the Azure Synapse name had allowed Pahima to gain access to other customer accounts, leak the customer credentials stored in the Azure Synapse workspace, run remote code on "any customer's integration runtimes" and "take control of the Azure batch pool managing all of the shared integration runtimes."
For its trouble in researching and communicating the problems, Orca Security was awarded $60,000 from Microsoft.
Orca Security delayed publishing its findings until now to "give Azure Synapse customers time to patch their on-premises versions and reconsider their Azure Synapse usage," Pahima indicated.
Microsoft's May 9 announcement suggested that most Azure Synapse customers wouldn't need to take any action. However there was one exception. "Self-host IR customers without auto-update need to take action to safeguard their deployments," Microsoft had indicated back then.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.