Microsoft Azure Synapse Analytics - Privilege Escalation via Vegas Caching Service

A security issue was discovered within Microsoft’s Azure Synapse that allowed for privilege escalation to root on hosts managed by an internal Microsoft subscription ID. While we do not believe that cross-tenant access was possible via this vector, this issue granted access to potentially sensitive environmental information and allowed for the ability to forge data sent to a variety of monitoring services.

The elevated privilege level granted access to…

• Azure’s Instance Metadata Service (IMDS)
• WireServer
• Full filesystem access
• Certificates allowing access to logging infrastructure
• Vulnerability management agents and their configurations
• Shared access signature (SAS) URLs granting direct access to various storage services for the active Workspace

Additionally, running data recovery software on these hosts allowed us to recover information regarding the provisioning and setup process of Spark clusters (vhd-creation).

The specific component responsible for this privilege escalation was the Vegas Caching Service, a caching mechanism deployed within Synapse compute clusters.

Regarding severity, Tenable generally adheres to the CVSS severity scale (https://nvd.nist.gov/vuln-metrics/cvss). Tenable reported this vulnerability to MSRC as an Information Disclosure issue with the following recommendations:

• Regarding the Vegas Caching Service component, escalation to root on the service’s host constitutes a CVSSv3 score of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8).
• Regarding Azure Synapse as a whole, CVSS scoring is not an adequate measurement to use for cloud-based services, so we simply suggest a severity rating of Medium based on impacts to data integrity and confidentiality.

MSRC chose to acknowledge this issue as an Elevation of Privilege with a severity rating of Important. MSRC’s severity rating system can be found here: https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system

Technical Details:

Based on the commit logs available on hosts running in the Synapse environment, the Vegas caching service appears to have been modified in September 2023 to run as the “trusted-service-user” account. Prior iterations of this service ran as root. When this service starts, however, a separate script is run (/bin/vegas/setupPipeSize.sh) in order to set certain parameters for the Vegas service. This script still runs as root. Additionally, it is writable by the “trusted-service-user” account.

By running code on a host within the cluster running the Vegas service, it was possible to modify the setupPipeSize.sh script and kill the running Vegas service. When the service attempts to restart, our modified script will run as root, which allows us to elevate our privileges to root. The following image demonstrates this.