Microsoft has released security updates to address a security flaw affecting Azure Synapse and Azure Data Factory pipelines that could let attackers execute remote commands across Integration Runtime infrastructure.
The Integration Runtime (IR) compute infrastructure is used by Azure Synapse and Azure Data Factory pipelines to provide data integration capabilities across network environments (e.g., data flow, activity dispatch, SQL Server Integration Services (SSIS) package execution).
The vulnerability (tracked as CVE-2022-29972 and reported by Orca Security) was mitigated on April 15, with no evidence of exploitation before fixes were released.
“The vulnerability was found in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory,” Microsoft explained in a security advisory published today.
“The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant,” the company added in a Microsoft Security Response Center (MSRC) blog post.
Successful exploitation of this ODBC connector for Amazon Redshift flaw could let malicious attackers running jobs in a Synapse pipeline execute remote commands.
In the next attack stage, they could potentially steal the Azure Data Factory service certificate to execute commands in another tenant’s Azure Data Factory Integration Runtimes.
How to mitigate
Microsoft says that customers using Azure cloud (Azure Integration Runtime) or who host their own on-premises (Self-Hosted Integration Runtime) with auto-updates turned on don’t need to take any further action to mitigate this flaw.
Self-host IR customers who don’t have auto-update toggled on were already notified to safeguard their deployments via Azure Service Health Alerts (ID: MLC3-LD0).
The company advises them to update their self-hosted IRs to the latest version (5.17.8154.2) available on Microsoft’s Download Center.
These updates can be installed on 64-bit systems with .NET Framework 4.7.2 or above running client and server platforms, including the latest releases (Windows 11 and Windows Server 2022).
“For additional protection, Microsoft recommends configuring Synapse workspaces with a Managed Virtual Network which provides better compute and network isolation,” Redmond added.
“Customers using Azure Data Factory can enable Azure integration runtimes with a Managed Virtual Network.”
You can find further information on how to fully mitigate CVE-2022-299 in the “Customer Recommendations and Additional Support” section of MSRC’s blog post.
Disclosure timeline:
- January 4 – Orca reported the issue to Microsoft
- March 2 – Microsoft completed rollout of initial hotfix
- March 11 – Microsoft identified and notified the customer affected by the researcher’s activity
- March 30 – Orca notified Microsoft of an additional attack path to the same vulnerability
- April 13 – Orca notified Microsoft of a second attack path to the same vulnerability
- April 15 – Additional fixes deployed for the two newly reported attack paths as well as additional defense in depth measures applied
In March, Microsoft said it fixed another Azure security vulnerability in December (also reported by Orca Security) that enabled attackers to take complete control over other Azure customers’ data by abusing an Azure Automation service bug dubbed AutoWarp.
Last month, the company addressed a chain of critical bugs in the Azure Database for PostgreSQL Flexible Server (known as ExtraReplica) that let malicious users gain access to other customers’ databases after bypassing authentication.
Other Microsoft Azure flaws fixed by Redmond during the last year include ones found in Azure Cosmos DB, the Open Management Infrastructure (OMI) software agent, and the Azure App Service.
Source: https://www.bleepingcomputer.com/news/security/microsoft-releases-fixes-for-azure-flaw-allowing-rce-attacks/
