Microsoft on Monday disclosed that it mitigated a security flaw
affecting Azure Synapse and Azure Data Factory that, if
successfully exploited, could result in remote code execution.
The vulnerability, tracked as CVE-2022-29972[1], has been codenamed
“SynLapse[2]” by researchers from
Orca Security, who reported the flaw to Microsoft in January
2022.
“The vulnerability was specific to the third-party Open Database
Connectivity (ODBC[3]) driver used to connect
to Amazon Redshift in Azure Synapse pipelines and Azure Data
Factory Integration Runtime (IR) and did not impact
Azure Synapse as a whole,” the company said[4].
“The vulnerability could have allowed an attacker to perform
remote command execution across IR infrastructure not limited to a
single tenant.”
In other words, a malicious actor can weaponize the bug to
acquire the Azure Data Factory service certificate and access
another tenant’s Integration Runtimes to gain access to sensitive
information, effectively breaking tenant separation
protections.
The tech giant, which resolved the security flaw on April 15,
said it found no evidence of misuse or malicious activity
associated with the vulnerability in the wild.
That said, the Redmond-based company has shared[5]
Microsoft Defender for Endpoint and Microsoft Defender Antivirus
detections to protect customers from potential exploitation, adding
it’s working to bolster the security of third-party data connectors
by working with driver vendors.
The findings come a little over two months after Microsoft
remediated an “AutoWarp[6]” flaw impacting its
Azure Automation service that could have permitted unauthorized
access to other Azure customer accounts and take over control.
Last month, Microsoft also resolved a pair of issues — dubbed
“ExtraReplica[7]” — with the Azure
Database for PostgreSQL Flexible Server that could result in
unapproved cross-account database access in a region.
References
Read more https://thehackernews.com/2022/05/microsoft-mitigates-rce-vulnerability.html