Besides permitting an attacker to obtain credentials to other Azure Synapse customer accounts, the flaw made it possible to sidestep tenant separation and execute code on targeted customer machines as well as control Synapse workspaces and leak sensitive data to other external sources.
So, if an attacker could execute code on the integration runtime, it's never shared between two different tenants, which means that no sensitive data is in danger, according to Orca Security in a technical report detailing the flaw. Microsoft has incorporated additional improvements to address the recently disclosed SynLapse security vulnerability, i n order to meet comprehensive tenant isolation requirements in Azure Data Factory and Azure Synapse Pipelines. The latest safeguards include moving the shared integration runtimes to sandboxed ephemeral instances and using scoped tokens to prevent adversaries from using a client certificate to access other tenants' information.
0 kommentar(er)
