Summary
Unit 42 researchers identified vulnerabilities in the Azure Data Factory's integration with Apache Airflow. These vulnerabilities include misconfigured Kubernetes Role-Based Access Control (RBAC), improper secret handling in Azure’s internal Geneva service, and weak authentication mechanisms.
Exploiting these flaws, attackers could gain shadow admin control over Azure infrastructure by crafting malicious DAG files or compromising service principals, leading to unauthorized access, data exfiltration, malware deployment, and persistent control of the cluster.
Once attackers gain access, they can escalate privileges within the Azure Kubernetes Service (AKS) cluster, compromise containerized environments, and exploit Azure’s Geneva service to manipulate logs and metrics.
The research highlighted how weak default configurations allowed attackers to escape containers, obtain root access to host nodes, and enumerate critical Azure resources. This included access to storage accounts, DNS zones, and other sensitive assets.
Affected Services
Azure Data Factory
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
-
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Ofir Balassiano, David Orlovsky, Palo Alto
