{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2022-033.pdf" }, "title": "Critical RCE Vulnerabilities in Microsoft Azure Synapse", "serial_number": "2022-033", "publish_date": "10-05-2022 13:06:00", "description": "On May 9th, Microsoft issued one security advisory addressing a critical RCE vulnerability in the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR). This vulnerability CVE-2022-29972 has CVSS score of 8.2 out of 10 and it may allow an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.
According to Microsoft article, there was no evidence of misuse or malicious activity. Only self-host IR environments without auto-update need to take action to safeguard their deployments.", "url_title": "2022-033", "content_markdown": "---\ntitle: 'Critical RCE Vulnerabilities in\u00a0Microsoft Azure Synapse'\nversion: '1.0'\nnumber: '2022-033'\ndate: 'May 10, 2022'\n---\n\n_History:_\n\n* _10/05/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn May 9th, Microsoft issued one security advisory addressing a critical RCE vulnerability in the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) [1]. This vulnerability CVE-2022-29972 has CVSS score of 8.2 out of 10 and it may allow an attacker to perform remote command execution across IR infrastructure not limited to a single tenant. \n\nAccording to Microsoft article [2], there was no evidence of misuse or malicious activity. Only self-host IR environments without auto-update need to take action to safeguard their deployments.\n\n# Technical Details\n\nThe vulnerability in the third-party ODBC connector for Amazon Redshift allowed a user running jobs in a Synapse pipeline to execute remote commands. A user who exploited this vulnerability could then potentially acquire the Azure Data Factory service certificate and execute commands in another tenant\u2019s Azure Data Factory Integration Runtimes. These certificates are specific to Azure Data Factory and Synapse Pipelines, and do not pertain to the rest of Azure Synapse. \n\nExploiting this vulnerability requires an attacker to have at least one of the following roles:\n\n* Synapse Administrator\n* Synapse Contributor\n* Synapse Compute Operator\n\n# Affected Products\n\nAzure Data Factory with Self-hosted IRs (SHIRs) with a version less than 5.17.8154.2.\n\nSHIRs with auto-update enabled or using Azure IRs are already mitigated.\n \n# Recommendations\n\nAzure Data Factory with Self-hosted IRs (SHIRs) with auto-update turned off must update their SHIRs to the latest version (5.17.8154.2) that can be found here [3]. These updates can be installed on 64-bit systems with .NET Framework 4.7.2 or above running client and server platforms, including the latest releases (Windows 11 and Windows Server 2022).\n\nFor additional protection, Microsoft recommends configuring Synapse workspaces with a Managed Virtual Network which provides better compute and network isolation\n\n# References\n\n[1] \n\n[2] \n\n[3] \n", "content_html": "

History:

  • 10/05/2022 --- v1.0 -- Initial publication

Summary

On May 9th, Microsoft issued one security advisory addressing a critical RCE vulnerability in the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) [1]. This vulnerability CVE-2022-29972 has CVSS score of 8.2 out of 10 and it may allow an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.

According to Microsoft article [2], there was no evidence of misuse or malicious activity. Only self-host IR environments without auto-update need to take action to safeguard their deployments.

Technical Details

The vulnerability in the third-party ODBC connector for Amazon Redshift allowed a user running jobs in a Synapse pipeline to execute remote commands. A user who exploited this vulnerability could then potentially acquire the Azure Data Factory service certificate and execute commands in another tenant\u2019s Azure Data Factory Integration Runtimes. These certificates are specific to Azure Data Factory and Synapse Pipelines, and do not pertain to the rest of Azure Synapse.

Exploiting this vulnerability requires an attacker to have at least one of the following roles:

  • Synapse Administrator
  • Synapse Contributor
  • Synapse Compute Operator

Affected Products

Azure Data Factory with Self-hosted IRs (SHIRs) with a version less than 5.17.8154.2.

SHIRs with auto-update enabled or using Azure IRs are already mitigated.

Recommendations

Azure Data Factory with Self-hosted IRs (SHIRs) with auto-update turned off must update their SHIRs to the latest version (5.17.8154.2) that can be found here [3]. These updates can be installed on 64-bit systems with .NET Framework 4.7.2 or above running client and server platforms, including the latest releases (Windows 11 and Windows Server 2022).

For additional protection, Microsoft recommends configuring Synapse workspaces with a Managed Virtual Network which provides better compute and network isolation

References

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972

[2] https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972/

[3] https://www.microsoft.com/en-us/download/details.aspx?id=39717

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }