Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Releases Fixes for Azure Flaw Allowing RCE Attacks

Microsoft Releases Fixes for Azure Flaw Allowing RCE Attacks

Microsoft has released security updates to address a security flaw affecting Azure Synapse and Azure Data Factory pipelines that could let attackers execute remote commands across Integration Runtime infrastructure.

The Integration Runtime (IR) compute infrastructure is used by Azure Synapse and Azure Data Factory pipelines to provide data integration capabilities across network environments (e.g., data flow, activity dispatch, SQL Server Integration Services (SSIS) package execution).

The vulnerability (tracked as CVE-2022-29972 and dubbed SynLapse by Orca Security Tzah Pahima) was mitigated on April 15, with no evidence of exploitation before fixes were released.

According to Pahima’s findings, attackers can exploit this bug to access and control other customers’ Synapse workspaces, allowing them to leak sensitive data including Azure’s service keys, API tokens, and passwords to other services.

Also Read: 10 Tips For Drafting Key Terms In A Service Agreement

“The vulnerability was found in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory,” Microsoft explained in a security advisory published today.

“The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant,” the company added in a Microsoft Security Response Center (MSRC) blog post.

Successful exploitation of this ODBC connector for Amazon Redshift flaw could let malicious attackers running jobs in a Synapse pipeline execute remote commands. 

In the next attack stage, they could potentially steal the Azure Data Factory service certificate to execute commands in another tenant’s Azure Data Factory Integration Runtimes.

“Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism,” Orca Security’s Avi Shua said.

“Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it.”

Also Read: How To Make A PDPC Complaint: With Its Importance And Impact

How to mitigate

Microsoft says that customers using Azure cloud (Azure Integration Runtime) or who host their own on-premises (Self-Hosted Integration Runtime) with auto-updates turned on don’t need to take any further action to mitigate this flaw.

Self-host IR customers who don’t have auto-update toggled on were already notified to safeguard their deployments via Azure Service Health Alerts (ID: MLC3-LD0). 

The company advises them to update their self-hosted IRs to the latest version (5.17.8154.2) available on Microsoft’s Download Center.

These updates can be installed on 64-bit systems with .NET Framework 4.7.2 or above running client and server platforms, including the latest releases (Windows 11 and Windows Server 2022).

“For additional protection, Microsoft recommends configuring Synapse workspaces with a Managed Virtual Network which provides better compute and network isolation,” Redmond added.

“Customers using Azure Data Factory can enable Azure integration runtimes with a Managed Virtual Network.”

You can find further information on how to fully mitigate CVE-2022-299 in the “Customer Recommendations and Additional Support” section of MSRC’s blog post.

“Unfortunately, our research leads us to believe that the underlying architectural weakness is still present. There are areas in the service where a huge amount of Microsoft and 3rd party code, runs with SYSTEM permissions, processing customer controlled input,” Shua added.

“This runs on shared machines with access to Azure service keys and sensitive data of other customers. These areas of the service only have application-level separation and lack sandbox or hypervisor-level isolation. This is a major attack surface and not consistent with the level of security that public cloud customers expect.”

Disclosure timeline:

  • January 4 – Orca reported the issue to Microsoft
  • March 2 – Microsoft completed rollout of initial hotfix
  • March 11 – Microsoft identified and notified the customer affected by the researcher’s activity
  • March 30 – Orca notified Microsoft of an additional attack path to the same vulnerability
  • April 13 – Orca notified Microsoft of a second attack path to the same vulnerability
  • April 15 – Additional fixes deployed for the two newly reported attack paths as well as additional defense in depth measures applied

In March, Microsoft said it fixed another Azure security vulnerability in December (also reported by Orca Security) that enabled attackers to take complete control over other Azure customers’ data by abusing an Azure Automation service bug dubbed AutoWarp.

Last month, the company addressed a chain of critical bugs reported by cloud security firm Wiz in the Azure Database for PostgreSQL Flexible Server (known as ExtraReplica) that let malicious users gain access to other customers’ databases after bypassing authentication.

Other Microsoft Azure flaws fixed by Redmond during the last year also include ones Wiz researchers found in Azure Cosmos DB, the Open Management Infrastructure (OMI) software agent, and the Azure App Service.

Update: Clarified ExtraReplica attribution.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us