Remediated vulnerability

SynLapse: Critical Azure Synapse Vulnerability

Risk Level

Compromised (1)

Platform(s)

Where Was This Vulnerability Found?

Azure Synapse Analytics is an integrated platform service from Microsoft Azure that combines the capabilities of data warehousing, data integrations, ETL pipelines, analytics tools & services, the scale for big-data capabilities, visualization & dashboards. 

Each Synapse instance is called a workspace. To import and process data from an external data source, a customer inputs credentials and relevant data, and then connects to that source via an integration runtime—a machine that connects to many different data sources (e.g., CosmosDB, Azure Data Lake, and external sources such as Amazon S3).

SynLapse Vulnerability

The Orca Research Pod identified a vulnerability that allowed an attacker to access and control other customers’ Synapse workspaces and leak sensitive data stored in the service including Azure service keys, API tokens, and passwords to other services. The vulnerability also affected Azure Data Factory.

These are some of the things that the Orca Research team was able to do: 

  • Gain authorization inside other customer accounts while acting as their Synapse workspace and access even more resources inside a customer’s account depending on the configuration.
  • Leak credentials that customers stored in their Synapse workspace.
  • Communicate with other customers’ integration runtimes which could have been leveraged to run remote code (RCE) on any customer’s integration runtimes.
  • Take control of the Azure batch pool managing all of the shared integration runtimes and run code on every instance.

How Did Orca Help?

The Orca research team reported SynLapse to Microsoft Security Response Center (MSRC) in early January 2022, in accordance with the industry-standard 90-day coordinated vulnerability disclosure process. The report included Orca’s concerns about the weak implementation of tenant separation in this service, as well as the fact that it was possible to download highly privileged internal Microsoft keys.

When reporting the issue Orca suggested to Microsoft to implement a number of mitigations, mainly:

  1. A sandbox – Move the shared integration runtime to a sandboxed ephemeral VM. This means that if an attacker could execute code on the integration runtime, it is never shared between two different tenants, so no sensitive data is in danger.
  2. Limit API access – Implement least privilege access to the internal management server, this will prevent attackers from using the certificate to access other tenants’ information. 

After months of back and forth communication with Microsoft—over 100 days from initial disclosure—on May 9, both Orca Security and MSRC published blogs outlining the vulnerability, mitigations, and recommendations for customers. 

At the beginning of June, Microsoft shared with us that they had implemented all recommendations and Synapse Integration Runtime is now using ephemeral nodes and scoped low-privileged API tokens.

In light of this information, Orca now believes that Azure Synapse Analytics provides sufficient tenant isolation. As such, Orca has removed alerting on Synapse from within the Orca Cloud Security Platform and published a further blog describing the full technical details of the SynLapse vulnerability. Microsoft continues to work on additional isolation and hardening.

The Orca Security Research Team continues to dig around different cloud products and services to find such zero-day vulnerabilities. Our goal is to discover these vulnerabilities before any malicious actors do.

Orca

Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents.