Discover and read the best of Twitter Threads about #synlapse
Most recents (2)
I was able to access thousands of companies’ passwords on #Azure and run code on their VMs.
This includes access to Microsoft’s own credentials… 💣
Here’s HOW I did it.
This is the story of #SynLapse. (1/11)
This includes access to Microsoft’s own credentials… 💣
Here’s HOW I did it.
This is the story of #SynLapse. (1/11)
Looking at the Microsoft Azure bounty program, I noticed that “cross-tenant data leakage” in @azuresynapse is regarded as a high-impact scenario ❗️
The service queries data imported from customer sources (MySQL, CosmosDB, Amazon S3...)
How do you define a data source? (2/11)
The service queries data imported from customer sources (MySQL, CosmosDB, Amazon S3...)
How do you define a data source? (2/11)
1. Create a new “Linked Service”.
2. Select a platform, e.g. MySQL.
3. Choose an “integration runtime” (the machine that imports the data), either your own or the shared default one called “AutoResolveIntegrationRuntime”.
And then… you just type in your credentials 🔑 (3/11)
2. Select a platform, e.g. MySQL.
3. Choose an “integration runtime” (the machine that imports the data), either your own or the shared default one called “AutoResolveIntegrationRuntime”.
And then… you just type in your credentials 🔑 (3/11)
I was able to access #Azure user credentials and run code on other customers’ machines.
The vulnerability is called #SynLapse.
It was a vulnerability in Azure Synapse Analytics (@Azure_Synapse) & Azure Data Factory, exploiting a major flaw in the tenant separation.
(1/3)
The vulnerability is called #SynLapse.
It was a vulnerability in Azure Synapse Analytics (@Azure_Synapse) & Azure Data Factory, exploiting a major flaw in the tenant separation.
(1/3)
Through access to an internal API server I was able to:
- Obtain access to other customers’ Synapse workspaces
- Perform API operations like adding/deleting resources
- Run code on their service machines
- Most importantly: leak all credentials they stored in the service.
(2/3)
- Obtain access to other customers’ Synapse workspaces
- Perform API operations like adding/deleting resources
- Run code on their service machines
- Most importantly: leak all credentials they stored in the service.
(2/3)
This blog is an advisory surrounding this issue, where the root attack vector was patched and assigned CVE-2022-29972.
>>> Technical details soon.
>>> Microsoft’s blog is in the comments.
(3/3)
orca.security/resources/blog…
>>> Technical details soon.
>>> Microsoft’s blog is in the comments.
(3/3)
orca.security/resources/blog…
