Vulnerability Fixed in Azure Synapse Spark

Summary

Microsoft takes a proactive approach to continually probe our defenses, hunt for vulnerabilities, and seek new, innovative ways to protect our customers. Security researchers are an important part of this effort, and our collaborative partnership is critical in a world where cybersecurity attacks continue to grow in number and sophistication. We value the role the security research community plays in helping secure Microsoft products and services and the broader ecosystem.

Orca Security is one of those researchers. Under Coordinated Vulnerability Disclosure (CVD), they informed Microsoft on June 1, 2022, of an Elevation of Privilege (EoP) vulnerability affecting Azure Synapse Spark. Microsoft fixed this EoP vulnerability on June 18, 2022. No customer action is required.

Vulnerability Details

Azure Synapse provided users the capability to mount Azure File Shares to their Apache Spark Pools via a script called filesharemount.sh that would execute with elevated privileges. This script would mount the File Share to the _/synfs _directory. There was a race condition in the script where, if successfully exploited, a user could execute the chown command to change the ownership of any directory—including the one containing the _filesharemount.sh _itself. This enabled a user to execute additional code with root privileges.

While the EoP behavior was not intended, the impact was limited only to the user’s Spark pool. It did not permit unauthorized access to other customers’ workloads or sensitive secrets.

Microsoft’s Response

We mitigated this EoP in Synapse Spark through the following:

1. We removed the capability to mount Azure File Shares to Spark pools indefinitely to redesign a more secure alternative.
2. We updated the documentation for How to use file mount/unmount API in Synapse to provide an alternative approach for safely mounting storage to Spark pools.

As with all our products and services, we continue to prioritize security enhancements from the inside out. For Synapse Spark, we:

• Implemented additional layers of defense-in-depth

• Improved detection capabilities to alert our security teams of anomalous activity, to include:

  • Interactive shell escalation
  • Data exfiltration
  • Anomalous API calls
  • Usage of specific command line tools

• Conducted variant analysis of key components used by Synapse Spark to enumerate possible attack paths

• Conducted proactive hunting for additional exploits and tested security boundaries

Further hardening Synapse Spark is one example of our continual work to enhance the security of our products and protect our customers. To learn more about Azure Security offerings, please visit the Azure Security catalog.

Customer Guidance

To reiterate, no action is required by customers.

Our internal investigations determined this is a local privilege escalation within the user’s Spark pool and does not result in any cross-tenant scenarios or exposure of sensitive secrets or customer data.

We would like to thank Orca for reporting this vulnerability and working with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure to help keep Microsoft customers safe. For more information on our bug bounty program, visit our Microsoft Bug Bounty Program page, review the program’s Terms and Conditions, and read our recent “Microsoft Bug Bounty Program Year in Review” blog post.

Additional References

Questions? Open a support case through the Azure Portal at aka.ms/azsupt.

Timeline: