Remote code execution vulnerability in Azure Data Factory and Azure Synapse Pipelines infrastructure

Microsoft announced the release of several security updates to address a severe vulnerability in the Azure Synapse and Azure Data Factory pipelines whose exploitation would allow threat actors to execute remote commands in the Integration Runtime (IR). These implementations use IR for data integration in network environments, so exploiting failures could result in problematic scenarios.

Tracked as CVE-2022-29972, the flaw was corrected in mid-April without successful exploitation attempts being detected. Tzah Pahima, researcher at Orca Security, mentioned that attackers could exploit the flaw to access and control other customers’ Synapse workspaces, thus accessing sensitive data such as Azure service keys, API tokens, and passwords from other services.

On the other hand, Microsoft published an alert noting that the vulnerability resides in the third-party ODBC data connector for Amazon Redshift, in addition to existing in IR, Azure Synapse Pipelines and Azure Data Factory: “The vulnerability could have allowed an attacker to execute remote commands on the IR infrastructure without being limited to a single tenant,” adds the company.

Successful exploitation of the ODBC connector error would have allowed malicious attackers to execute jobs on a Synapse pipeline for remote command execution. A later attack stage would have facilitated the theft of Azure Data Factory service certificates for running commands in another tenant’s Azure Data Factory Integration Runtimes.

Orca Security believes that this architecture contains significant weaknesses that need to be addressed with a more robust tenant separation approach.

About its mitigation, Microsoft says customers using azure integration runtime or hosting their own on-premises environment (Self-Hosted Integration Runtime) with automatic updates enabled will require nothing more than receiving updates to mitigate exploitation risk.

Self-hosted IR customers who do not have automatic updating turned on should have already received a notification to protect their deployments through Azure Service Health Alerts. Microsoft also recommends updating self-hosted Integration Runtime deployments to the latest available version (v5.17.8154.2).

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.