Two security vendors — Orca Security and Tenable — have accused Microsoft of unnecessarily endangering customers’ data and cloud environments by taking far too long to fix critical vulnerabilities in Azure.
In a blog posted today, Orca Security researcher Tzah Pahima claims it took Microsoft several months to fully fix a security flaw in Azure’s Synapse Analytics that it discovered in January.
And in a separate blog posted on Monday, Tenable CEO Amit Yoran called Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.
Long and winding road
Orca’s story begins on January 4, when Pahima reported a bug he named SynLapse.
This flaw, which received a severity score of 7.8 and is being tracked as CVE-2022-29972, could allow a remote attacker to bypass tenant separation in the Data Analytics Service to access and control the workspaces of other customers. In addition to stealing credentials, attackers could also exploit this vulnerability to leak sensitive data stored in cloud services, including Azure keys, API tokens, and passwords.
Microsoft alerted customers and released a fix in March, but Orca’s bug hunters bypassed it and notified Microsoft on March 30.
In April, 90 days after disclosing the security flaw, Orca said it informed Microsoft that the keys and certificates were still valid and that its security researchers still had access to the Synapse management server.
Microsoft patched the bypass on April 10, but Orca blasted the patch again and notified Redmond that its analytics service remained vulnerable.
Which brings us to this week. Several patches later, and with the looming threat of soon-to-be-released Orca technical analysis, Microsoft reportedly told Orca on Monday that it had fixed the infrastructure weakness — this time, for real.
The register did not see Microsoft’s mitigation. “Microsoft reached out to us today and let us know that they have more robust fixes in place for the issues,” Orca CTO Yoav Alon said Monday, adding that the research team is not sure. hadn’t had time to validate the patches.
We’re told that in late May, Microsoft rolled out more comprehensive tenant isolation, which included ephemeral instances and extended tokens for shared Azure Integration Runtimes.
“Repeated Behavior Pattern”
At press time, Redmond had not responded to The registerrequest to see the information provided to Orca. Microsoft also ignored blog requests for comment from the CEOs of Orca and Tenable, and its security team did not respond to questions about why the Synapse bugs took so long to be fixed.
Message from Tenable CEO details Microsoft’s response to a privilege escalation flaw that researchers discovered could be exploited by anyone using Azure Synapse.
Microsoft, according to Yoran, “silently fixed” one of the bugs and “privately acknowledged the seriousness” of the security flaws 89 days after Tenable disclosed them – and only after Tenable said it was going public. the proof of concept of the exploit.
“This is repeat behavior,” Yoran wrote.
“Several security companies have written about their vulnerability notification interactions with Microsoft and Microsoft’s dismissive attitude towards the risk vulnerabilities pose to their customers,” he added, citing Synapse vulnerability research d ‘Orca as well as similar accounts of ace, Positive security and Fortinet’s review on the Follina zero-day exploit.
In an interview with The register, Avi Shua, CEO of Orca, and Yoav Alon, CTO, said researchers at the Cloud Security Workshop are always looking for vulnerabilities in cloud environments. Most of the time, after Orca’s team reveals the bugs, cloud service providers fix them quickly – “with the highest level of seriousness you can imagine,” Shua said.
Shua noted two earlier vulnerabilities that the Orca team found in AWS Glue and AWS Cloud Formation. Amazon fixed both in about 25 hours.
“Unfortunately, this time it was a bit different,” he said, adding that he needed to escalate the bug to the EVP level before anyone at Microsoft paid attention to it.
“Everyone has vulnerabilities,” Shua continued. “We know that. But the bigger and more important you are in the ecosystem, and the more impact your business has, the question of when you are able to mitigate it is the most important element.”
In other words: Microsoft, as the second largest cloud provider, is almost as big as it looks. “Why did it take five months for Microsoft to mitigate a vulnerability in a core Azure service? It hasn’t been answered yet,” Shua lamented.
90 days? Or five months?
The security industry as a whole has agreed to a 90-day responsible disclosure schedule, Shua said, noting that this should give software makers enough time to work with security researchers, resolve the issue, and protect customers before full public disclosure.
But that mutually agreed-upon time frame predates the cloud, “and arguably should be much shorter than 90 days,” Shua said. “We saw that AWS was able to deploy [patches] in a day or two.”
Anyway, when it comes to critical tenant separation flaws in Microsoft’s Azure Synapse, “we’re talking about five months,” he noted.
This is especially dangerous because, as Microsoft admitted in its May Patch Tuesday blog, publicly leaked exploit code for this bug already exists. Moreover, according to Alon d’Orca, it is not very difficult to exploit.
When asked how technically sophisticated an attacker would have to be to exploit the RCE bug and gain access to other customers’ Azure environments, Alon replied, “Unfortunately, not very sophisticated. I would classify it as medium.”
In a videoOrca demonstrated how a criminal could leak a victim’s credentials entered into Synapse knowing nothing but the name of a Synapse instance.
Customers should demand transparency from their cloud providers, Shua said. “It’s essential,” he added. “Vulnerabilities will exist in the future, and there is nothing we can do to prevent them. But the question is: how quickly was it fixed? What is the attack surface? How was it mitigated, and time is an important part of that.” ®