SynLapse: Azure Synapse Analytics vulnerability created prolonged tenant separation risks

Security researchers often find cloud software vulnerabilities from the major cloud providers and share those findings, both with the companies, with their own clients, and, when needed, with the public. But a recently discovered and resolved vulnerability in Microsoft Azure discovered by researchers at Orca Security led to a prolonged period in which customers may have been at risk for malicious attacks.

Tzah Pahima, a researcher with cloud computing security provider with Orca Security discovered the Azure security vulnerability dubbed “SynLapse” in January 2022. It affected Azure Synapse Analytics and Azure Data Factory, allowing attackers to bypass tenant separation and obtain credentials for other Synapse customer accounts, takeover Synapse workspaces, execute code on targeted customer machines, or leak customer credentials to external data sources.

Synapse Analytics is an Azure service that pulls and processes data from customer data sources like Data Lake, Amazon S3, or Azure Cosmos DB and the service is subdivided into workspaces. Customers connect using the integration runtime, self-hosted on-prem or hosted through Azure Data Factory Integration Runtime.

According to Orca, Microsoft took 100 days to fix the SynLapse. The Orca team reported notifying the Microsoft Security Response Center (MSRC) about the vulnerability on January 4 and shared keys and certificates it was able to extract. The MSRC team sought additional information in February and March and ultimately deployed a patch at the end of March. But on March 30, Orca was able to bypass the patch. Microsoft paid Orca $60,000 for the find. As late as April 10, Orca was able to bypass a second patch. Finally, the MSRC team put out a third patch on April 15, resolving the attack vectors.

Pahima initially discovered the vulnerability when researching self-hosted on-prem integration runtimes and found a shell injection vulnerability leading to a Magnitude Simba Redshift ODBC connector. The SAML authentication plugin for one of the connectors contained the shell injection, resulting in a shell command vulnerable to injections. With the third patch issued in April, Synapse no longer allows customers to use an Azure-hosted integration runtime. He wrote: