Microsoft has released security updates to address a security vulnerability affecting Azure Synapse and Azure Data Factory pipelines that could allow attackers to execute commands remotely on the integration execution framework.
The Integration Runtime (IR) compute framework is used by Azure Synapse pipelines and Azure Data Factory to provide data integration functionality in network environments (e.g. data flow, activity dispatch, execution of SQL packages Server Integration Services (SSIS)).
The vulnerability (tracked as CVE-2022-29972 and reported by Orca Security) was mitigated on April 15, with no evidence of exploitation before patches were released.
“The vulnerability was found in the third-party ODBC data connector used to connect to Amazon Redshift, Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory,” Microsoft explained in a security advisory released today.
“The vulnerability could have allowed an attacker to execute remote commands on an IR infrastructure not limited to a single tenant,” the company added in a Microsoft Security Response Center (MSRC) blog post.
Successful exploitation of this ODBC connector for the Amazon Redshift flaw could allow malicious attackers running tasks in a Synapse pipeline to execute commands remotely.
In the next stage of attack, they could potentially steal the Azure Data Factory service certificate to run commands in another tenant’s Azure Data Factory integration runtimes.
How to mitigate
Microsoft says that customers using the Azure cloud (Azure Integration Runtime) or hosting their own on-premises environment (Self-Hosted Integration Runtime) with automatic updates enabled do not need to take any further steps to mitigate this. fault.
Self-hosted IR customers who have not enabled auto-update have already been notified to protect their deployments via Azure Service Health Alerts (ID: MLC3-LD0).
The company advises them to update their self-hosted IRs to the latest version (5.17.8154.2) available on the Microsoft Download Center.
These updates can be installed on 64-bit systems with .NET Framework 4.7.2 or higher running client and server platforms, including the latest versions (Windows 11 and Windows Server 2022).
“For additional protection, Microsoft recommends configuring Synapse workspaces with a managed virtual network that provides better compute and network isolation,” Redmond added.
“Customers using Azure Data Factory can enable Azure Integration Runtimes with a managed virtual network.”
You can find more information on how to fully mitigate CVE-2022-299 in the “Customer Recommendations and Additional Support” section of the MSRC blog post.
Disclosure schedule:
- January 4 – Orca reported the issue to Microsoft
- March 2 – Microsoft has completed initial patch rollout
- March 11 – Microsoft identifies and notifies customer affected by researcher activity
- March 30 – Orca notified Microsoft of an additional attack path to the same vulnerability
- April 13 – Orca notified Microsoft of a second attack path to the same vulnerability
- April 15 – Additional fixes rolled out for the two newly reported attack paths as well as additional defense-in-depth measures applied
In March, Microsoft said it patched another Azure security vulnerability in December (also reported by Orca Security) that allowed attackers to take full control of other Azure customers’ data by abusing a bug in the Azure Automation service called AutoWarp.
Last month, the company fixed a string of critical bugs in Azure Database for PostgreSQL Flexible Server (known as ExtraReplica) that allowed malicious users to access other customers’ databases after bypassing the ‘authentication.
Other Microsoft Azure vulnerabilities patched by Redmond over the past year include those found in Azure Cosmos DB, the Open Management Infrastructure (OMI) software agent, and Azure App Service.