Critical Azure Vulnerability Creates a Massive Attack Surface
Microsoft has released patches for a vulnerability that affects Azure Synapse and Azure Data Factory products, allowing threat actors to RCE the Integration Runtime infrastructure. The vulnerability coded CVE-2022-29972 was evaluated in the high-risk category by given a severity score of 8.2 by the company.
Fixes for this vulnerability were previously released on April 15, but cybersecurity researchers suggest that the threat still exists.
How Does the Vulnerability Affect?
According to Microsoft’s security advisory, the vulnerability resides in a third-party ODBC data connector used to connect to IR in Azure Synapse Pipelines and Amazon Redshift in Azure Data Factory.
The SynLapse nicknamed vulnerability code CVE-2022-29972 allows threat actors to RCE on the Integration Runtime infrastructure. It also allows attackers to access other customers’ Synapse workspaces and exploit the vulnerability to leak sensitive data, including service keys, API tokens, and passwords for other services.
Because the Integration Runtime provides data integration capabilities in all network environments, it becomes highly risky for threat actors to execute commands there.
Are There Patches or Mitigation Measures for SynLapse?
Microsoft stated that Self-Hosted Integration Runtime users who use Azure cloud services or keep automatic updates do not need to take any action. Self-Hosted IR customers who have not turned on auto-update are advised to upgrade to version 5.17.8154.2 in the Microsoft Download Center.
Updates can be installed on 64-bit systems with .NET Framework 4.7.2 or higher, including Windows 11 and Windows Server 2022.
Cybersecurity researchers recommend taking some mitigation measures even if patches are applied. Stating that the weakness still exists in the infrastructure architecture, experts underline that third-party code is running in the service, which may allow access to sensitive data of other customers.
While Microsoft states that it is working to reduce the large attack surface and risk potential created by the vulnerability, it recommends its customers configure their Synapse workspaces with a Managed Virtual Network that provides better network isolation.
Recent Azure Vulnerabilities
Discovered by cybersecurity firm Orca, SynLapse isn’t the first vulnerability in Azure this year. In January, two months after SynLapse, which was publicly disclosed, Microsoft announced that it fixed a vulnerability called AutoWarp that allowed it to exploit an Azure Automation bug.
In April, Microsoft fixed critical vulnerabilities in Azure Database for PostgreSQL Flexible Server, allowing threat actors to bypass authentication and access other customer data.
Discover SOCRadar® Free Edition
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Get free access.