Microsoft on Monday announced that it had mitigated and remediated a vulnerability affecting Azure Data Factory and Azure Synapse Pipelines.
In a security advisory, Microsoft said the vulnerability was found in the third-party ODBC data connector used to connect to Amazon Redshift, in integration runtime (IR) for Azure Synapse Pipelines, and Azure Data Factory.
According to Microsoft, this vulnerability could have allowed an attacker to execute remote commands across integration runtimes.
Microsoft said it addressed the vulnerability with the release of security updates to remediate CVE-20220-29972. In addition, Microsoft also worked with the third-party vendor on fixing the vulnerability in the driver which has been released with its latest updates. Security pros can find more information in Microsoft's blog.
A vulnerability in the Amazon Redshift ODBC Driver lets a user running jobs with Azure Synapse Pipelines to execute code in other tenants that use Integration runtime (IR) infrastructure, explained Davis McCarthy, principal security researcher at Valtix. Simply put, McCarthy said threat actors with a cloud account can compromise other accounts that use similar data integration services.
“What’s unique about this vulnerability is that the attack vector stems from the pool of tenants that use similar services to your organization, that the attack surface could be any of the third-party integration tools available on the marketplace,” McCarthy said. “Organizations need network isolation and segmentation in the cloud, as service providers start to grapple with inter-tenant threats.”
Greg Fitzgerald, co-founder of Sevco Security, added that by moving quickly to patch the affected systems, Microsoft made a great first step. However, Fitzgerald said organizations vulnerable to this exploit cannot simply sit back and assume that this will be resolved through their typical patch management process.
“Patching vulnerabilities works great for the systems that you know about, but the vast majority of enterprises simply don’t know the entirety of their attack surface,” Fitzgerald said. “This is because maintaining an accurate IT asset inventory in a dynamic environment is exceptionally difficult. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combatting threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said vulnerabilities in cloud applications can cause problems. Fortunately, Parkin said it appears that this vulnerability requires some level of authenticated access to exploit and patches have been released.
“While there’s so far no evidence that it’s been exploited in the wild, any organization that relies on these drivers should update as soon as possible,” Parkin said.