Azure Synapse and Data Factory

Microsoft on Monday disclosed that it mitigated a security flaw affecting Azure Synapse and Azure Data Factory that, if successfully exploited, could result in remote code execution.

The vulnerability, tracked as CVE-2022-29972, has been codenamed "SynLapse" by researchers from Orca Security, who reported the flaw to Microsoft in January 2022.

"The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole," the company said.

"The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant."

In other words, a malicious actor can weaponize the bug to acquire the Azure Data Factory service certificate and access another tenant's Integration Runtimes to gain access to sensitive information, effectively breaking tenant separation protections.

The tech giant, which resolved the security flaw on April 15, said it found no evidence of misuse or malicious activity associated with the vulnerability in the wild.

That said, the Redmond-based company has shared Microsoft Defender for Endpoint and Microsoft Defender Antivirus detections to protect customers from potential exploitation, adding it's working to bolster the security of third-party data connectors by working with driver vendors.

The findings come a little over two months after Microsoft remediated an "AutoWarp" flaw impacting its Azure Automation service that could have permitted unauthorized access to other Azure customer accounts and take over control.

Last month, Microsoft also resolved a pair of issues — dubbed "ExtraReplica" — with the Azure Database for PostgreSQL Flexible Server that could result in unapproved cross-account database access in a region.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.