Microsoft takes months to fix critical Azure Synapse bug

Microsoft failed to adequately fix a critical flaw in Azure Synapse for months, according to a report from Orca Security.

The vulnerability, dubbed "SynLapse," was discovered by Orca Security researcher Tzah Pahima, who found that insufficient tenant separation in the cloud service allowed unauthorized parties to obtain credentials of other Synapse customers and execute malicious code in their virtual machines

SynLapse began with Pahima's discovery of a remote code execution bug, tracked as CVE-2022-29972, in a third-party Azure data connector called Magnitude Simba Redshift. Specifically, it's used to connect Amazon RedShift with analytics service Azure Synapse and Azure Data Factory.

Pahima used the Magnitude Simba vulnerability to gain access to the Azure Synapse management server and obtain private keys and certificates; he also discovered he could gain additional access to Synapse customers because of inadequate tenant isolation. Orca reported the bug to Microsoft in early January and Microsoft notified Orca in late March that the vulnerability was fixed. However, Pahima discovered the patch could be bypassed and the underlying tenant separation issues were present.

A security advisory on May 9 from Avi Shua, CEO and co-founder of Orca Security, said Microsoft's initial mitigation effort had fallen short.

"We were disappointed to see that while the specific vulnerability was fixed, the tenant separation was still extremely weak, and we were able to demonstrate a different attack vector that also allowed a bypass of Synapse tenant separation on March 30," Shua wrote.

In addition, Azure service keys and certificates obtained in the discovery of the vulnerability had not been revoked. Microsoft revoked said certificates and told Orca the vulnerability had been fixed on April 10, according to the blog post. But Orca said the fix was only partial, and another attack vector was quickly found.

Microsoft posted a security advisory on the vulnerability on May 9 -- coordinated with Orca's blog after the latter granted Microsoft an extra month to disclose -- detailing patches and mitigations. However, Orca once again said those efforts were incomplete and recommended that customers consider their use of the Azure Synapse service.

"Microsoft has since implemented additional mitigation measures that make exploitation much harder," Shua wrote in the May 9 advisory. "Unfortunately, our research leads us to believe that the underlying architectural weakness is still present."

Orca Security's Tuesday post provided the full technical details for SynLapse and an updated timeline.

Pahima wrote in this new post that Orca made multiple mitigation recommendations to Microsoft when reporting the initial issue. One was limiting tenant separation by moving "the shared integration runtime to a sandboxed ephemeral VM," and the other was limiting API access in order to implement least privilege.

In June, the researcher wrote, Microsoft had implemented these recommendations.

"At the beginning of June Microsoft shared with us that they have implemented all recommendations and Synapse Integration Runtime is now using ephemeral nodes and scoped low-privileged API tokens," Pahima said. "In light of this information, we now believe that Azure Synapse Analytics provides sufficient tenant isolation. As such, we have removed alerting on Synapse from within the Orca Cloud Security Platform. Microsoft continues to work on additional isolation and hardening."

Microsoft advised Azure Synapse and Data Factory customers to update their instances if running a self-hosted one; customers with auto-updates on do not need to take additional action.

Shua told SearchSecurity he was unsure why Microsoft needed such a long timeline to fix issues connected to SynLapse.

"We can't speak to why it took Microsoft so long to fix the issue or for the repeated patches, besides that they were trying to fix the vulnerabilities rather than the root cause and tenant isolation issue at the infrastructure level," he said. "That is a better question for Microsoft otherwise."

A Microsoft spokesperson declined to provide a comment for SearchSecurity beyond linking to the May 9 advisory.

Orca's research followed similar reports from Tenable on Monday, which published findings on two entirely different Azure Synapse vulnerabilities and criticized Microsoft for inadequate responses to the flaws. Specifically, Tenable slammed Microsoft for downplaying the severity of the vulnerabilities and then silently patching them without disclosing the issues to customers.

Alexander Culafi is a writer, journalist and podcaster based in Boston.