Azure Synapse Analytics is an integrated platform service from Microsoft Azure that combines the capabilities of data warehousing, data integrations, ETL pipelines, analytics tools & services, the scale for big-data capabilities, visualization & dashboards.
Each Synapse instance is called a workspace. To import and process data from an external data source, a customer inputs credentials and relevant data, and then connects to that source via an integration runtime—a machine that connects to many different data sources (e.g., CosmosDB, Azure Data Lake, and external sources such as Amazon S3).
The Orca Research Pod identified a vulnerability that allowed an attacker to access and control other customers’ Synapse workspaces and leak sensitive data stored in the service including Azure service keys, API tokens, and passwords to other services. The vulnerability also affected Azure Data Factory.
These are some of the things that the Orca Research team was able to do:
The Orca research team reported SynLapse to Microsoft Security Response Center (MSRC) in early January 2022, in accordance with the industry-standard 90-day coordinated vulnerability disclosure process. The report included Orca’s concerns about the weak implementation of tenant separation in this service, as well as the fact that it was possible to download highly privileged internal Microsoft keys.
When reporting the issue Orca suggested to Microsoft to implement a number of mitigations, mainly:
After months of back and forth communication with Microsoft—over 100 days from initial disclosure—on May 9, both Orca Security and MSRC published blogs outlining the vulnerability, mitigations, and recommendations for customers.
At the beginning of June, Microsoft shared with us that they had implemented all recommendations and Synapse Integration Runtime is now using ephemeral nodes and scoped low-privileged API tokens.
In light of this information, Orca now believes that Azure Synapse Analytics provides sufficient tenant isolation. As such, Orca has removed alerting on Synapse from within the Orca Cloud Security Platform and published a further blog describing the full technical details of the SynLapse vulnerability. Microsoft continues to work on additional isolation and hardening.
The Orca Security Research Team continues to dig around different cloud products and services to find such zero-day vulnerabilities. Our goal is to discover these vulnerabilities before any malicious actors do.
Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP － without the gaps in coverage, alert fatigue, and operational costs of agents.