Microsoft has released a patch addressing a flaw in the Azure Data Factory and Azure Synapse pipelines (tracked as CVE-2022-29972). The flaw affects the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. The vulnerability could allow attackers to execute remote commands across the Integration Runtime infrastructure.
The security researchers at Orca Security had found and reported this vulnerability. The vulnerability was patched on April 15th, with no evidence of exploitation before the fixes were released.
Azure Data Factory is a Microsoft Cloud Extract Transform Load (ETL) service that enables data integration and data transformation. It is a standalone service that is also available as Azure Synapse pipelines.
Customers who use Azure Data Factory or Azure Synapse pipelines can set up an Integration Runtime (IR) in their factories and/or workspaces to allow data to flow between multiple network environments. Data from numerous sources can be integrated into Synapse Analytics workspaces using Azure Synapse pipelines. These pipelines also support connectors, allowing data to be merged across several data stores, including third-party products.
IRs built with Azure Synapse pipelines can be hosted on-premises or in the Azure Cloud (through the Azure Data Factory Integration Runtime) (Self-Hosted Integration Runtime).
Description
Successful exploitation of this ODBC connector for Amazon Redshift vulnerability (CVE-2022-29972) could allow malicious attackers running jobs in a Synapse pipeline to execute remote commands. Users who successfully exploited this flaw could obtain the Azure Data Factory service certificate and run commands in another tenant’s Azure Data Factory Integration Runtimes. These certificates only apply to Azure Data Factory and Synapse Pipelines, and they have no bearing on the rest of Azure Synapse.
Affected versions
Microsoft Azure Data Factory versions prior to 5.17.8154.2 are affected by this vulnerability.
Mitigation
There is no action needed from Azure Data Factory or Azure Synapse pipeline customers who are hosted in the Azure Cloud (Azure Integration Runtime) or who host on-premises (Self-Hosted Integration Runtime) with auto-updates turned on.
Customers using Azure Data Factory with Self-hosted IRs (SHIRs) with auto-update turned off are advised to upgrade to the latest version, 5.17.8154.2. The updates can be downloaded from Microsoft’s Download Center.
For more information, refer to the Microsoft Security Advisory (ADV220001).
Qualys Detection
Qualys customers can scan their devices with QID 91894 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972
https://www.bleepingcomputer.com/news/security/microsoft-releases-fixes-for-azure-flaw-allowing-rce-attacks/
https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972