Summary
Azure Synapse Analytics is an analytics service for processing data using various runtimes,
among them Apache Spark. Synapse provided users the capability to mount Azure File Shares to
their Apache Spark Pools via a script called filesharemount.sh that would execute with elevated
privileges. This script would mount the File Share to the /synfs directory. There was a race
condition in the script where, if successfully exploited, a user could execute the chown command
to change the ownership of any directory—including the one containing the filesharemount.sh itself.
This enabled a user to execute additional code with root privileges. On its own, the impact of this
vulnerability was limited to the user’s own Spark pool, and did not permit cross-tenant access.
Following disclosure, Microsoft disabled the ability to mount Azure File Shares to Spark pools,
and recommended mounting Data Lake Storage Gen2 or Azure Blob Storage instead.
Affected Services
Synapse Analytics
Remediation
None required
Tracked CVEs
No tracked CVEs
References
https://orca.security/resources/blog/synapse-local-privilege-escalation-vulnerability-spark/https://msrc-blog.microsoft.com/2022/09/01/vulnerability-fixed-in-azure-synapse-spark/
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Wed, Jun 1st, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Tzah Pahima, Orca Security
