Synopsis
A security issue was discovered within Microsoft’s Azure Synapse that allowed for privilege escalation to root on hosts managed by an internal Microsoft subscription ID. While we do not believe that cross-tenant access was possible via this vector, this issue granted access to potentially sensitive environmental information and allowed for the ability to forge data sent to a variety of monitoring services.
The elevated privilege level granted access to…
- Azure’s Instance Metadata Service (IMDS)
- WireServer
- Full filesystem access
- Certificates allowing access to logging infrastructure
- Vulnerability management agents and their configurations
- Shared access signature (SAS) URLs granting direct access to various storage services for the active Workspace
Additionally, running data recovery software on these hosts allowed us to recover information regarding the provisioning and setup process of Spark clusters (vhd-creation).
The specific component responsible for this privilege escalation was the Vegas Caching Service, a caching mechanism deployed within Synapse compute clusters.
Regarding severity, Tenable generally adheres to the CVSS severity scale (https://nvd.nist.gov/vuln-metrics/cvss). Tenable reported this vulnerability to MSRC as an Information Disclosure issue with the following recommendations:
- Regarding the Vegas Caching Service component, escalation to root on the service’s host constitutes a CVSSv3 score of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8).
- Regarding Azure Synapse as a whole, CVSS scoring is not an adequate measurement to use for cloud-based services, so we simply suggest a severity rating of Medium based on impacts to data integrity and confidentiality.
MSRC chose to acknowledge this issue as an Elevation of Privilege with a severity rating of Important. MSRC’s severity rating system can be found here: https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system
Technical Details:
Based on the commit logs available on hosts running in the Synapse environment, the Vegas caching service appears to have been modified in September 2023 to run as the “trusted-service-user” account. Prior iterations of this service ran as root. When this service starts, however, a separate script is run (/bin/vegas/setupPipeSize.sh) in order to set certain parameters for the Vegas service. This script still runs as root. Additionally, it is writable by the “trusted-service-user” account.
By running code on a host within the cluster running the Vegas service, it was possible to modify the setupPipeSize.sh script and kill the running Vegas service. When the service attempts to restart, our modified script will run as root, which allows us to elevate our privileges to root. The following image demonstrates this.
Solution
Microsoft has rolled out fixes for this issue across all supported regions. As this is a cloud-based service, no action is necessary for end users.
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team