Tenable Security has disclosed two bugs in analytics software Microsoft provides Azure users, and has complained that cloud providers don’t follow industry-standard security disclosure practices.
In its Tenable TechBlog, the company says Microsoft has patched one bug in its Synapse Analytics platform without notifying users, and has left the other unpatched.
Synapse Analytics is a machine learning and data aggregation platform, which runs on Apache Spark with limited permissions, Tenable said in its blog post.
“Tenable Research has discovered a privilege escalation flaw that allows a user to escalate privileges to that of the root user within the context of a Spark VM,” the post explained.
“We have also discovered a flaw that allows a user to poison the hosts file on all nodes in their Spark pool, which allows one to redirect subsets of traffic and snoop on services users generally do not have access to.”
The privilege escalation bug, Tenable wrote, exists because Synapse uses Jupyter notebooks and a script called filesharemount.sh which “happens to contain a handful of flaws that, when combined, can be used to escalate privileges to root”.
The hosts file poisoning bug is far less severe – Tenable describes it as “kinda fun and interesting”, while saying it could have potential to be used “as a critical piece of a greater exploit chain”.
That’s because the bug allows a low-privileged user to overwrite the “hosts” file in their Spark pool.
The privilege escalation bug has been patched with minimal disclosure, Tenable claimed, while the host file poisoning bug remains.
The post said Microsoft’s Synapse engineering team believes the bugs don’t offer cross-tenant attacks, but Tenable believes the vulnerabilities deserve to be rated “critical”.
Disclosure practice criticised
Tenable saves its greatest criticisms for how Microsoft handled the bugs.
Specifically, Tenable complained that it could only get a response from the vendor by discussing the issue on Twitter; that Microsoft patched the privilege escalation bug without contacting Tenable; and that the patch was made silently.
Such behaviour is endemic in cloud security, Tenable said.
As the post stated: “cloud providers rarely provide notice that a security-related flaw was ever present in the first place.
“Cloud vulnerabilities rarely receive CVEs because they aren’t static products. They are ever-changing beasts with no accountability requirements in terms of notifying users and customers of security-related changes.”
In a separate post on LinkedIn, Tenable chairman and CEO Amit Yoran said: “To date, Microsoft customers have not been notified … This is a repeated pattern of behaviour.”