Researchers at Orca Security posted a blog on Tuesday that pointed out a case where tenant separation vulnerabilities in Azure Synapse Analytics were discovered, Orca claimed it took Microsoft over 100 days to make a final fix.
Avi Shua, co-founder and CEO at Orca, added that it took three patches to correct the issue and the first two were bypassed by Orca researchers. He claimed that the internal control server was only revoked after 96 days and after an aggressive stance by Orca. Shua said while Microsoft fixed the vulnerability, it also needed to set up a sandbox as an extra layer of protection.
Shua said Orca discloses these type of security issues all the time. On at least two occasions with AWS, as well as with Microsoft Azure, the issues were fixed within a few days. He also noted that Tenable had a similar experience with vulnerabilities it discovered in Azure Synapse Analytics and published an account in a blog yesterday.
This case was very different than Orca's past experiences with Azure, said Shua, who said they first reported the issue to Microsoft on Jan. 4. “Only after two-and-a-half months later did we get a response," Shua said. "But it was very clear that the root problem was not fixed, they still hadn’t revoked the keys that were exposed."
Shua said he felt after almost four months, he needed to tell the industry, and that’s why he told Microsoft he would publish a blog on May 9.
Microsoft, for its part, also posted a blog on May 9 which reported the issue was mitigated by April 15. Microsoft also pointed out that the Orca and Tenable cases are unrelated vulnerabilities, adding that it addressed the issues that Tenable reported to them and no customer action is required.
Despite the patch on the issue Orca identified, Shua still claimed that Microsoft needed to add the sandbox, so he wrote in the May 9 blog that Orca would publish the full technical details of the case on June 14. Shua said it was only late last week on June 9 when Microsoft notified Orca that it made the final fix. The patch was done in an automated way by Microsoft, so there’s nothing security teams need to do at this point.
“Nobody told me wait another two weeks and it will be solved,” Shua said. “It took more than five months from the time we found the vulnerability.”
The manner in which multi-tenant services delivered in cloud platforms are vetted for security has become a thorny one, said Oliver Tavakoli, CTO at Vectra. Tavakoli said when the service in question is just the ability to run a workload, vetting the underlying hypervisor for possible escapes could (mostly) get done outside the cloud platform.
“However, with recent disclosures of flaws in more complicated bespoke services in cloud platforms, it’s become clear that we have a raft of potential vulnerabilities and no good way to test them without potentially breaking production systems and the responses to the disclosure of these vulnerabilities is still a relatively undeveloped muscle,” Tavakoli said. “I am not sure who within Microsoft approved this particular response, but these decisions cannot be left to individual product teams without some central oversight which provides necessary checks and balances.”
Mohit Tiwari, co-founder and CEO at Symmetry Systems, said organizations have to put seat belts around their crown jewels to prevent or detect data breaches. This key lesson has been repeatedly underlined by the several critical vulnerabilities found in all cloud service providers over the last year, Tiwari said. The CSPs platforms are incredibly complex, and customer organizations should adopt zero-trust principles around all their crown jewels to reduce privilege and add pervasive detection-response seat-belts around them, he said.
“Separately, we should consider discussing vulnerability disclosures without attaching stigma to the targets, Microsoft Azure in this case,” Tiwari said. “While there are egregious outlier companies that may deserve stigma, Microsoft and similar companies strive hard against an impossible challenge: to write software without vulnerabilities. And if the discussion — and headlines — were pragmatic and focused on addressing an engineering issue, they might also spend less energy on containing PR fallout, and being adversarial to the bug-hunters, versus addressing the problem.”
Bud Broomhead, CEO at Viakoo, said vulnerabilities present in cloud infrastructure, especially ones that impact multiple tenants, often follow the pattern of being mitigated first (for speed) then remediated (for securely ensuring full restoration of the service). By just mitigating a vulnerability, as Microsoft chose in this case, Broomhead said it leaves open the possibility of the vulnerability being exploited through mechanisms not covered by the mitigation.
“Given how resourced-constrained most security teams are, having Microsoft automate both the mitigation and ongoing detection of this vulnerability for cloud-hosted customers is clearly beneficial,” Broomhead said. “Self-hosted customers may want to assess the extra effort and longer vulnerability window (higher chance of being exploited) as compared to being fully cloud-hosted.”
Broomhead added that this vulnerability was introduced by a third-party driver used to connect Amazon Redshift to Azure Synapse. As organizations increasingly move data and computations across multiple cloud environments the opportunity for vulnerabilities being introduced in the transfer mechanism will increase, Broomhead said.
“While Amazon is highly secure, and Azure is highly secure, third-party connections between them can be the weak link that threat actors will focus on,” Broomhead concluded.