Microsoft has disclosed a local elevation of privilege vulnerability in Azure Synapse that it quietly patched two months ago.
Azure Synapse Analytics is a Microsoft analytics service that uses different types of integration runtimes for processing data, with one being via a custom Apache Spark pool used to integrate with development tools, Python, .NET and more. Researchers with Orca Security reported the flaw to Microsoft in June, and a fix was issued June 18. Microsoft disclosed the details of the flaw on Thursday, but said that no customer action is required.
“Our internal investigations determined this is a local privilege escalation within the user’s Spark pool and does not result in any cross-tenant scenarios or exposure of sensitive secrets or customer data,” according to the Microsoft Security Response Center on Thursday.
Microsoft said that the vulnerability specifically existed in a capability in Azure Synapse that allows users to mount Azure File Shares to their Apache Spark pools. Users can do so via a script (firesharemount.sh) that would execute with elevated privileges by mounting the File Share to the /synfs directory.
“There was a race condition in the script where, if successfully exploited, a user could execute the chown command to change the ownership of any directory — including the one containing the filesharemount.sh itself. This enabled a user to execute additional code with root privileges,” according to Microsoft.
After researchers with Orca Security reported the flaw on June 1, they noted an “unplanned crossover” after learning that Tenable had published their own findings about the bug on June 13.
“To our surprise, one of their vulnerabilities was a local privilege escalation in the Apache Spark cluster feature inside Synapse,” said Tzah Pahima with Orca Security in a Thursday post. “After reading their blog, it was now clear that we found a bypass to the fix deployed by Microsoft to mitigate the issue reported by Tenable, which they considered being fully resolved.”
James Sebree, senior staff research engineer at Tenable, who discovered the bug on Tenable's end, said Tenable Research originally reported the flaw to Microsoft in March.
"The news today is that researchers found a bypass to the patch Microsoft created for the vulnerability originally found by Tenable," said Sebree. "What is interesting is when the bug was initially disclosed to Microsoft, it was categorized as 'low' severity and now it is categorized as 'important' – or a 3 out of 4 on the Microsoft severity scale."
Pahima said that no CVE was assigned to the bug because it was a piece of code used inside of Azure Synapse and not part of a public product. Microsoft noted that the impact of the EoP bug was limited to the user's Spark pool and it did not permit unauthorized access to other customers’ workloads or sensitive data. The company issued a fix by removing the capability to mount Azure File Shares to Spark pools indefinitely.