Microsoft on Monday disclosed that it mitigated a security flaw influencing Azure Synapse and Azure Details Factory that, if productively exploited, could end result in remote code execution.
The vulnerability, tracked as CVE-2022-29972, has been codenamed “SynLapse” by researchers from Orca Security, who described the flaw to Microsoft in January 2022.
“The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver made use of to link to Amazon Redshift in Azure Synapse pipelines and Azure Knowledge Factory Integration Runtime (IR) and did not effects Azure Synapse as a full,” the corporation mentioned.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“The vulnerability could have permitted an attacker to accomplish distant command execution across IR infrastructure not limited to a solitary tenant.”
In other terms, a destructive actor can weaponize the bug to receive the Azure Knowledge Manufacturing unit support certificate and obtain another tenant’s Integration Runtimes to get accessibility to delicate info, properly breaking tenant separation protections.
The tech giant, which resolved the security flaw on April 15, claimed it observed no proof of misuse or destructive activity involved with the vulnerability in the wild.
That mentioned, the Redmond-based mostly organization has shared Microsoft Defender for Endpoint and Microsoft Defender Antivirus detections to guard customers from potential exploitation, adding it is doing work to bolster the security of 3rd-party information connectors by operating with driver sellers.
The results occur a tiny in excess of two months right after Microsoft remediated an “AutoWarp” flaw impacting its Azure Automation company that could have permitted unauthorized accessibility to other Azure client accounts and acquire above management.
Past thirty day period, Microsoft also settled a pair of issues — dubbed “ExtraReplica” — with the Azure Databases for PostgreSQL Versatile Server that could consequence in unapproved cross-account databases obtain in a region.
Found this write-up intriguing? Follow THN on Fb, Twitter and LinkedIn to read through a lot more exclusive written content we submit.
Some areas of this article are sourced from:
thehackernews.com
Critical Infrastructure Firms See Cyber-Attacks Surge