Summary:
Microsoft takes a proactive approach to continually probe our defenses, hunt for vulnerabilities, and seek new, innovative ways to protect our customers. Security researchers are an important part of this effort, and our collaborative partnership is critical in a world where cybersecurity attacks continue to grow in number and sophistication. We value the role the security research community plays in helping secure Microsoft products and services and the broader ecosystem.
Orca Security is one of those researchers. Under Coordinated Vulnerability Disclosure (CVD), they informed Microsoft on June 1, 2022, of an Elevation of Privilege (EoP) vulnerability affecting Azure Synapse Spark. Microsoft fixed this EoP vulnerability on June 18, 2022. No customer action is required.
Vulnerability Details:
Azure Synapse provided users the capability to mount Azure File Shares to their Apache Spark Pools via a script called filesharemount.sh that would execute with elevated privileges. This script would mount the File Share to the /synfs directory. There was a race condition in the script where, if successfully exploited, a user could execute the chown command to change the ownership of any directory—including the one containing the filesharemount.sh itself. This enabled a user to execute additional code with root privileges.
While the EoP behavior was not intended, the impact was limited only to the user’s Spark pool. It did not permit unauthorized access to other customers’ workloads or sensitive secrets.
Microsoft’s Response:
We mitigated this EoP in Synapse Spark through the following:
- We removed the capability to mount Azure File Shares to Spark pools indefinitely to redesign a more secure alternative.
- We updated the documentation for How to use file mount/unmount API in Synapse to provide an alternative approach for safely mounting storage to Spark pools.
As with all our products and services, we continue to prioritize security enhancements from the inside out. For Synapse Spark, we:
- Implemented additional layers of defense-in-depth
- Improved detection capabilities to alert our security teams of anomalous activity, to include:
- Interactive shell escalation
- Data exfiltration
- Anomalous API calls
- Usage of specific command line tools
- Conducted variant analysis of key components used by Synapse Spark to enumerate possible attack paths
- Conducted proactive hunting for additional exploits and tested security boundaries
Further hardening Synapse Spark is one example of our continual work to enhance the security of our products and protect our customers. To learn more about Azure Security offerings, please visit the Azure Security catalog.
Customer Guidance:
To reiterate, no action is required by customers.
Our internal investigations determined this is a local privilege escalation within the user’s Spark pool and does not result in any cross-tenant scenarios or exposure of sensitive secrets or customer data.
We would like to thank Orca for reporting this vulnerability and working with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure to help keep Microsoft customers safe. For more information on our bug bounty program, visit our Microsoft Bug Bounty Program page, review the program’s Terms and Conditions, and read our recent “Microsoft Bug Bounty Program Year in Review” blog post.
Additional References:
Questions? Open a support case through the Azure Portal at aka.ms/azsupt.
Timeline:
| Date | Action Taken |
|---|---|
| 2022-06-01 | Orca submits initial report to Microsoft |
| 2022-06-15 | Synapse Spark provides initial assessment of findings |
| 2022-06-16 | Internal audit of Synapse Spark service begins |
| 2022-06-18 | Elevation of Privilege bug mitigated |
| 2022-06-18 | Variant analysis of Synapse Spark service begins |
| 2022-06-18 | Internal audit of Synapse Spark service complete |
| 2022-06-21 | Investigations complete. No impact to customer data, secrets, or tenant boundaries discovered. |
| 2022-06-21 | Full threat surface analysis of Spark service begins |
| 2022-08-10 | Orca provides MSRC with a draft of their blog |