Microsoft recently mitigated a vulnerability in Azure Data Factory and Azure Synapse pipelines. The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.
Microsoft has conducted a detailed internal investigation to identify any cases of abuse. The only activity identified was performed by Orca Security, who reported the vulnerability. Our investigation found no evidence of misuse or malicious activity. The vulnerability was mitigated on April 15, 2022.
There is no action needed from Azure Data Factory or Azure Synapse pipeline customers who are hosted in the Azure cloud (Azure Integration Runtime) or who host on-premises (Self-Hosted Integration Runtime) with auto-updates turned on. Self-host IR customers without auto-update need to take action to safeguard their deployments. Customers with this configuration were notified and provided guidance through Azure Service Health Alerts (Tracking ID: MLC3-LD0); however, additional information can be found below in the “Customer Recommendations and Additional Support” section. Customers with auto-updates enabled do not need to take additional action.
The following sections explain in more detail the relevant architectural background of the services and components involved, some high-level technical details of the vulnerability and steps Microsoft has taken to mitigate the issue and, any next steps or recommendations for customers.
Azure Data Factory is a Microsoft Cloud Extract Transform Load (ETL) service that enables data integration and data transformation. Azure Data Factory is available as a standalone service, and it is also provided as Azure Synapse pipelines.
Customers using Azure Data Factory or Azure Synapse pipelines can create an Integration Runtime (IR) in their factories and/or workspaces to allow for data integration across different network environments. Azure Synapse pipelines can be used to integrate data from various sources into Synapse Analytics workspaces. These pipelines also support connectors, which allow data to be integrated across different data stores, including third-party products. Azure Data Factory and Azure Synapse pipelines have many data connectors to different data sources built-in today.
IRs using Azure Synapse pipelines can be hosted in the Azure cloud (via the Azure Data Factory Integration Runtime) or hosted on-premises (Self-Hosted Integration Runtime). Cloud-hosted Azure IRs can also be configured with a Managed Virtual Network (VNet) and will use private endpoints to connect to supported data stores, which can provide an extra layer of network isolation.
As a high-level architectural overview of the hosting models:
The vulnerability was specific to the third-party ODBC connector used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR).
The vulnerability in the third-party ODBC connector for Amazon Redshift allowed a user running jobs in a Synapse pipeline to execute remote commands. A user who exploited this vulnerability could then potentially acquire the Azure Data Factory service certificate and execute commands in another tenant’s Azure Data Factory Integration Runtimes. These certificates are specific to Azure Data Factory and Synapse Pipelines, and do not pertain to the rest of Azure Synapse.
Orca Security reported a vulnerability to Microsoft on January 4, 2022, at which point we began our internal investigation to identify the scope of impact and to protect customers. Our timeline for investigation and mitigation can be summarized as follows:
Microsoft fully mitigated attack paths to this vulnerability on April 15, 2022, by taking the following steps across all IR types:
While our investigation found no evidence of Microsoft product or service misuse or malicious activity from this vulnerability aside from the activity Orca reported, we are sharing the following Microsoft Defender for Endpoint and Microsoft Defender Antivirus detections to protect customers.
Customers using automatic updates do not need to take additional action. Enterprise customers managing updates should select the detection build 1.363.1065.0 or later and deploy it across their environments.
Microsoft Defender Antivirus version 1.363.1065.0 or later detects components and behaviors related to this threat and protects customers through the following detections:
Microsoft Defender for Endpoint alerts with the following titles in the Microsoft 365 Defender portal can indicate threat activity on your network:
Microsoft Sentinel customers can use the following queries based on Microsoft Defender for Endpoint signatures to identify suspicious behavior leveraging this vulnerability.
To ensure that your resources receive the necessary security updates, customers using Azure Data Factory with Self-hosted IRs (SHIRs) with auto-update turned off must update their SHIRs to the latest version (5.17.8154.2). Customers can download the latest version here. These customers were also notified of this guidance through Service Health (Tracking ID: MLC3-LD0) in the Azure Portal.
No further action is required of customers using SHIRs with auto-update enabled or customers using Azure IRs.
Customers can read more about the updates made to Self-hosted IR for this vulnerability in the release notes.
For additional protection, Microsoft recommends configuring Synapse workspaces with a Managed Virtual Network which provides better compute and network isolation. Customers using Azure Data Factory can enable Azure integration runtimes with a Managed Virtual Network. Microsoft is continually taking steps to apply additional safeguards to harden the Azure Data Factory and Azure Synapse Analytics platforms and protect our customers.
While Microsoft applied the necessary mitigations for the vulnerability that Orca Security reported, we continue to invest engineering effort to ensure that customers of Azure Data Factory and Synapse pipeline workloads running in our cloud are secure and trustworthy. Our ongoing efforts include:
Please visit our Security Advisory for further details on our ongoing effort to address this issue: ADV220001.
We want to acknowledge Orca Security for reporting this vulnerability. We appreciate their continues partnership and collaboration. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the terms and conditions in the Microsoft Bug Bounty Program to avoid impacting customer data while conducting security research.
The MSRC Team
6-14-2022 - Blog post updated to reflect the steps taken across all IR types and acknowledgements.