Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft Azure Synapse Analytics - Privilege Escalation via Vegas Caching Service

Medium

Synopsis

A security issue was discovered within Microsoft’s Azure Synapse that allowed for privilege escalation to root on hosts managed by an internal Microsoft subscription ID. While we do not believe that cross-tenant access was possible via this vector, this issue granted access to potentially sensitive environmental information and allowed for the ability to forge data sent to a variety of monitoring services.

The elevated privilege level granted access to…

  • Azure’s Instance Metadata Service (IMDS)
  • WireServer
  • Full filesystem access
  • Certificates allowing access to logging infrastructure
  • Vulnerability management agents and their configurations
  • Shared access signature (SAS) URLs granting direct access to various storage services for the active Workspace


Additionally, running data recovery software on these hosts allowed us to recover information regarding the provisioning and setup process of Spark clusters (vhd-creation).

The specific component responsible for this privilege escalation was the Vegas Caching Service, a caching mechanism deployed within Synapse compute clusters.

Regarding severity, Tenable generally adheres to the CVSS severity scale (https://nvd.nist.gov/vuln-metrics/cvss). Tenable reported this vulnerability to MSRC as an Information Disclosure issue with the following recommendations:

  • Regarding the Vegas Caching Service component, escalation to root on the service’s host constitutes a CVSSv3 score of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8).
  • Regarding Azure Synapse as a whole, CVSS scoring is not an adequate measurement to use for cloud-based services, so we simply suggest a severity rating of Medium based on impacts to data integrity and confidentiality.

MSRC chose to acknowledge this issue as an Elevation of Privilege with a severity rating of Important. MSRC’s severity rating system can be found here: https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system

Technical Details:

Based on the commit logs available on hosts running in the Synapse environment, the Vegas caching service appears to have been modified in September 2023 to run as the “trusted-service-user” account. Prior iterations of this service ran as root. When this service starts, however, a separate script is run (/bin/vegas/setupPipeSize.sh) in order to set certain parameters for the Vegas service. This script still runs as root. Additionally, it is writable by the “trusted-service-user” account.

By running code on a host within the cluster running the Vegas service, it was possible to modify the setupPipeSize.sh script and kill the running Vegas service. When the service attempts to restart, our modified script will run as root, which allows us to elevate our privileges to root. The following image demonstrates this.

Solution

Microsoft has rolled out fixes for this issue across all supported regions. As this is a cloud-based service, no action is necessary for end users.

Disclosure Timeline

January 7, 2024 - MSRC reaches out to Tenable based on alerts triggered within Azure infrastructure.
January 9, 2024 - Tenable confirms activity within Azure Synapse and requests further information.
January 9, 2024 - MSRC requests disclosure of discovered issue.
January 11, 2024 - Tenable states that their researcher requires more time to provide write-up and requests further information.
January 17, 2024 - Microsoft responds.
January 22, 2024 - Tenable acknowledges and states that a write-up is in progress.
January 25, 2024 - Tenable discloses via MSRC portal and sends case number to previous email thread.
January 25, 2024 - MSRC sends automated acknowledgement via portal.
February 2, 2024 - MSRC requests more information via portal.
February 6, 2024 - Tenable provides more information via portal.
February 7, 2024 - Tenable requests acknowledgement in original email thread.
February 15, 2024 - MSRC provides status update regarding ticket via portal.
February 21, 2024 - Tenable requests acknowledgement in original email thread.
February 21, 2024 - Tenable requests status update via MSRC portal.
February 21, 2024 - MSRC provides status update and acknowledges original email thread.
February 21, 2024 - MSRC awards researcher with $10,000 bug bounty.
February 26 - March 4, 2024 - MSRC and Tenable communicate disclosure details. MSRC suggests a disclosure date of March 7. Tenable confirms.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2024-06
Credit:
Jimi Sebree
Affected Products:
Azure Synapse Analytics
Vegas Caching Service deployed prior to Jan 2024
Risk Factor:
Medium

Advisory Timeline

March 7, 2024 - Initial release.