Azure issues not adequately fixed for months, complain bug hunters
Redmond kicks off Patch Tuesday with a months-old flaw fix
Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.
In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January.
And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.
Long and winding road
Orca's story starts on January 4, when Pahima reported a bug he named SynLapse.
This flaw, which received a 7.8 severity score and is tracked as CVE-2022-29972, could allow a remote attacker to bypass tenant separation in the data analytics service to access and control other customers' workspaces. In addition to stealing credentials, miscreants could also exploit this vulnerability to leak sensitive data stored in the cloud services including Azure keys, API tokens and passwords.
Microsoft alerted customers and pushed out a patch in March, but Orca's bughunters bypassed it and notified Microsoft on March 30.
In April, 90 days after disclosing the security flaw, Orca said it notified Microsoft that the keys and certificates were still valid, and its security researchers still had Synapse management server access.
Microsoft patched the bypass on April 10, but Orca again blew through the patch and notified Redmond that its analytics service remained vulnerable.
- Orca Security tells AWS fail tale with a happy ending
- Microsoft closes Windows LSA hole under active attack
- Symantec: More malware operators moving in to exploit Follina
- Microsoft fixes cross-account vulns in Azure Database for PostgreSQL service
Which brings us to this week. Several patches later, and with the threat of Orca's soon-to-publish technical analysis looming, Microsoft on Monday reportedly told Orca that it fixed the infrastructure weakness – this time, for real.
The Register hasn't seen Microsoft's mitigation. "Microsoft today contacted us and let us know that they have implemented more robust fixes for the issues," Orca CTO Yoav Alon said in an interview on Monday, adding that the research team hasn't had time to validate the patches.
We're told that in late May, Microsoft deployed more comprehensive tenant isolation – which included ephemeral instances and scoped tokens for the shared Azure Integration Runtimes.
'Repeated pattern of behavior'
At press time, Redmond hadn't responded to The Register's request to see the information provided to Orca. Microsoft also ignored requests for comment about the Orca and Tenable CEOs' blogs, and its security team did not answer questions about why the Synapse bugs took so long to fix.
The Tenable CEO's post details Microsoft's response to a privilege escalation flaw that researchers discovered could be exploited by anyone using Azure Synapse.
Microsoft, according to Yoran, "silently patched" one of the bugs, and "privately acknowledged the severity" of the security holes 89 days after Tenable disclosed them – and only after Tenable said it was going public with the exploit proof-of-concept.
"This is a repeated pattern of behavior," Yoran wrote.
"Several security companies have written about their vulnerability notification interactions with Microsoft, and Microsoft's dismissive attitude about the risk that vulnerabilities present to their customers," he added, citing Orca's Synapse vulnerability research along with similar tales from Wiz, Positive Security and Fortinet's take on the the Follina zero-day exploit.
In an interview with The Register, Orca CEO Avi Shua and CTO Yoav Alon said the cloud security shop's researchers are always poking around for vulnerabilities in cloud environments. Most of the time, after Orca's team discloses the bugs, the cloud services providers fix them promptly – "with the highest level of seriousness that you can imagine," Shua said.
Shua noted two earlier vulns that the Orca team found in AWS Glue and AWS Cloud Formation. Amazon fixed both in about 25 hours.
"Unfortunately, this time it was a little bit different," he said, adding that he had to escalate the bug to the EVP level before anyone at Microsoft paid attention.
"Everyone has vulnerabilities," Shua continued. "We know that. But the bigger and more important you are in the ecosystem, and more impactful your business is, the question of how timely you're able to mitigate them is the top item."
In other words: Microsoft, as the number two cloud provider, is almost as big as they come. "Why did it take five months for Microsoft to mitigate a vulnerability in a core Azure service? It has yet to be answered," Shua lamented.
90 days? Or five months?
The security industry as a whole has agreed upon a 90-day responsible disclosure timeline, Shua said, noting that this should give software vendors plenty of time to work with security researchers, fix the issue and protect customers before a full public disclosure.
But this mutually agreed upon deadline predates the cloud, "and one can argue that it should be much shorter than 90 days," Shua said. "We saw AWS was able to deploy [patches] within a day or two."
Regardless, specific to the critical tenant separation flaws in Microsoft's Azure Synapse, "we're talking about five months," he noted.
This is especially dangerous because, as Microsoft admitted in its May Patch Tuesday blog, publicly disclosed exploit code for this bug already exists. Plus, according to Orca's Alon, it's not very difficult to exploit.
When asked how technically sophisticated an attacker would have to be to exploit the RCE bug and gain access to other customers' Azure environments, Alon said: "Unfortunately, not very sophisticated. I would classify it as medium."
In a video, Orca demonstrated how a criminal could leak a victim's credentials entered in Synapse knowing nothing but the name of a Synapse instance.
Customers should demand transparency from their cloud providers, Shua said. "This is critical," he added. "Vulnerabilities will exist in the future, and there is nothing we can do to prevent those. But the question is: how fast was it fixed? What is the attack surface? How was it mitigated, and time is a huge part of that." ®
Updated to add
"We are deeply committed to protecting our customers and we believe security is a team sport," a Microsoft spokesperson told The Register.
"We appreciate our partnerships with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimize customer disruptions while improving protection."