Tenacious fix of two serious security vulnerabilities in Microsoft’s cloud environment
Since March 10, Tenable Research has been trying to work with Microsoft to fix two serious vulnerabilities in the infrastructure of Azure Synapse Analytics
Synapse Analytics is a platform used for machine learning, data aggregation and other computing applications. The service is currently listed under the “high-impact” scenarios in Microsoft’s Azure Bug Bounty program. Microsoft states that products and scenarios listed under this heading “have the highest potential impact on customer security”.
Tenable Research has discovered two serious vulnerabilities in the infrastructure on which this service runs. These vulnerabilities allow a user to extend the rights of the root user within the underlying Apache Spark virtual machines or to “poison” the hosts file of all nodes in an Apache Spark pool. The keys, secrets and services that can be accessed through these vulnerabilities are known to allow further lateral movement and compromise of Microsoft’s own infrastructures. This can potentially lead to the compromise of other customers’ data, as has recently been observed in several other cases, such as ChaosDB from Wiz and SynLapse from Orca. However, Microsoft has claimed that cross-tenant access via these attack vectors is not possible.
Tenable reported these issues to Microsoft on March 10, 2022. Microsoft has already started to provide a fix for the problem of privilege escalation on April 30, 2022. Tenable currently assumes that the problem has been successfully resolved in all regions. End users do not have to do anything to ensure that their environments are no longer affected. The hosts file poisoning attack is not yet patched at the time of this writing. Due to the nature of these vulnerabilities and the disclosure process, Tenable does not yet have CVE reference numbers for this.
During the disclosure process, representatives of Microsoft initially seemed to agree that these are critical issues. Microsoft developed and implemented a privilege escalation patch without further information from Tenable Research. In the final days of the disclosure process, the Microsoft Security Response Center (MSRC) tried to downplay the severity of the privilege escalation issue, classifying it as a “best practice recommendation” and not a security issue. Despite clear evidence to the contrary, the MSRC refused a bounty or recognition for this discovery. After Microsoft was informed by Tenable to publish information about the vulnerabilities, Microsoft representatives revised the previous decision and classified these problems as security-relevant. This shows a clear lack of communication between the teams involved at Microsoft.
These vulnerabilities and the interaction of Tenable researchers with Microsoft show how difficult it is to address security-related issues in cloud environments. The entire process is largely beyond the control of the customer. Customers are completely dependent on the cloud providers to fix the reported problems. However, the good news is that once a problem is fixed, it is also fixed. As a rule, customers do not have to do anything, because everything happens behind the scenes. The bad news, however, is that the cloud providers rarely point out that a security-relevant vulnerability existed at all.
More detailed information about the interactions with Microsoft and the technical details of these vulnerabilities can be found in this post on the Tenable TechBlog.