Azure issues not adequately fixed for months, complain bug hunters

Redmond kicks off Patch Tuesday with a months-old flaw fix

Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

Long and winding road

Orca's story starts on January 4, when Pahima reported a bug he named SynLapse. 

This flaw, which received a 7.8 severity score and is tracked as CVE-2022-29972, could allow a remote attacker to bypass tenant separation in the data analytics service to access and control other customers' workspaces. In addition to stealing credentials, miscreants could also exploit this vulnerability to leak sensitive data stored in the cloud services including Azure keys, API tokens and passwords. 

Microsoft alerted customers and pushed out a patch in March, but Orca's bughunters bypassed it and notified Microsoft on March 30.

In April, 90 days after disclosing the security flaw, Orca said it notified Microsoft that the keys and certificates were still valid, and its security researchers still had Synapse management server access. 

Microsoft patched the bypass on April 10, but Orca again blew through the patch and notified Redmond that its analytics service remained vulnerable.

Both Microsoft and Orca issued subsequent blogs in May, with Redmond insisting it had mitigated the flaw and Orca claiming the tenant separation in Synapse remained insufficient to protect secrets.

Which brings us to this week. Several patches later, and with the threat of Orca's soon-to-publish technical analysis looming, Microsoft on Monday reportedly told Orca that it fixed the infrastructure weakness – this time, for real.

The Register hasn't seen Microsoft's mitigation. "Microsoft today contacted us and let us know that they have implemented more robust fixes for the issues," Orca CTO Yoav Alon said in an interview on Monday, adding that the research team hasn't had time to validate the patches. 

We're told that in late May, Microsoft deployed more comprehensive tenant isolation – which included ephemeral instances and scoped tokens for the shared Azure Integration Runtimes.

'Repeated pattern of behavior'

At press time, Redmond hadn't responded to The Register's request to see the information provided to Orca. Microsoft also ignored requests for comment about the Orca and Tenable CEOs' blogs, and its security team did not answer questions about why the Synapse bugs took so long to fix.

The Tenable CEO's post details Microsoft's response to a privilege escalation flaw that researchers discovered could be exploited by anyone using Azure Synapse. 

Microsoft, according to Yoran, "silently patched" one of the bugs, and "privately acknowledged the severity" of the security holes 89 days after Tenable disclosed them – and only after Tenable said it was going public with the exploit proof-of-concept.

"This is a repeated pattern of behavior," Yoran wrote. 

"Several security companies have written about their vulnerability notification interactions with Microsoft, and Microsoft's dismissive attitude about the risk that vulnerabilities present to their customers," he added, citing Orca's Synapse vulnerability research along with similar tales from Wiz, Positive Security and Fortinet's take on the the Follina zero-day exploit.

In an interview with The Register, Orca CEO Avi Shua and CTO Yoav Alon said the cloud security shop's researchers are always poking around for vulnerabilities in cloud environments. Most of the time, after Orca's team discloses the bugs, the cloud services providers fix them promptly – "with the highest level of seriousness that you can imagine," Shua said.

Shua noted two earlier vulns that the Orca team found in AWS Glue and AWS Cloud Formation. Amazon fixed both in about 25 hours.

"Unfortunately, this time it was a little bit different," he said, adding that he had to escalate the bug to the EVP level before anyone at Microsoft paid attention.

"Everyone has vulnerabilities," Shua continued. "We know that. But the bigger and more important you are in the ecosystem, and more impactful your business is, the question of how timely you're able to mitigate them is the top item."

In other words: Microsoft, as the number two cloud provider, is almost as big as they come. "Why did it take five months for Microsoft to mitigate a vulnerability in a core Azure service? It has yet to be answered," Shua lamented.

90 days? Or five months?

The security industry as a whole has agreed upon a 90-day responsible disclosure timeline, Shua said, noting that this should give software vendors plenty of time to work with security researchers, fix the issue and protect customers before a full public disclosure. 

But this mutually agreed upon deadline predates the cloud, "and one can argue that it should be much shorter than 90 days," Shua said. "We saw AWS was able to deploy [patches] within a day or two."

Regardless, specific to the critical tenant separation flaws in Microsoft's Azure Synapse, "we're talking about five months," he noted.

This is especially dangerous because, as Microsoft admitted in its May Patch Tuesday blog, publicly disclosed exploit code for this bug already exists. Plus, according to Orca's Alon, it's not very difficult to exploit. 

When asked how technically sophisticated an attacker would have to be to exploit the RCE bug and gain access to other customers' Azure environments, Alon said: "Unfortunately, not very sophisticated. I would classify it as medium."

In a video, Orca demonstrated how a criminal could leak a victim's credentials entered in Synapse knowing nothing but the name of a Synapse instance.

Customers should demand transparency from their cloud providers, Shua said. "This is critical," he added. "Vulnerabilities will exist in the future, and there is nothing we can do to prevent those. But the question is: how fast was it fixed? What is the attack surface? How was it mitigated, and time is a huge part of that." ®

Updated to add

"We are deeply committed to protecting our customers and we believe security is a team sport," a Microsoft spokesperson told The Register.

"We appreciate our partnerships with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimize customer disruptions while improving protection."

Broader topics

Other stories you might like

  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading

Biting the hand that feeds IT © 1998–2022