CVE-2022-29972 is a security vulnerability in Azure Synapse and Azure Data Factory pipelines that could let threat actors execute remote commands in the Integration Runtime Infrastructure (IR). Microsoft explains that the IR is a compute infrastructure utilized by Azure Data Factory and Azure Synapse pipelines that provides data integration capabilities across network environments.
CVE-2022-29972 In Detail
The vulnerability itself has been dubbed SynLapse by Orca Security researchers who analyzed the threat and issued a warning. The team believes that the tenant separation in the Microsoft Azure Synapse service is “insufficiently robust to protect secrets against other tenants.” Based on the researchers’ understanding of the architecture of the service, and their repeated bypasses of fixes, they think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism, according to the issued advisory.
Apparently, threat actors can exploit CVE-2022-29972 to access and control other customers’ Synapse workspaces. This could then cause sensitive data leaks, including Azure service keys, API tokens, and passwords to other services.
According to Microsoft’s advisory, the flaw was discovered in the third-party ODBC data connector that connects to Amazon Redshift, in IR in Azure Synapse Pipelines and Azure Data Factory. If an attacker successfully leverages the flaw, it could allow malicious attackers running jobs in a Synapse pipeline to execute remote commands.
“Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it,” Orca security said. However, Microsoft said that customers that use Azure cloud or host their own on-premises with auto updates turned on don’t need to take any other mitigation steps.
Self-host IR customers who don’t have the auto-update turned on should have been already notified to protect their products via Azure Service Health Alerts (ID: MLC3-LD0). Microsoft advises them to update their self-hosted IRs to the latest version (5.17.8154.2) which can be downloaded from Microsoft’s Download Center.