Microsoft has recently come under scrutiny for its cloud security practices, and now the company has patched multiple severe vulnerabilities in various Apache services in Azure HDInsight, its managed big data analytics service. The flaws were discovered by researchers from Orca Security, who believe that the relatively little effort required to find the vulnerabilities raises concerns about the overall security of the service. All of the vulnerabilities were cross-site scripting (XSS) issues that posed a significant risk to data and user privacy.
According to Lidor Ben Shitrit, a cloud security researcher at Orca Security, an attacker could have exploited these vulnerabilities to hijack web sessions and potentially put user data at risk. Ben Shitrit explained, “With any of these XSS vulnerabilities, an attacker could have delivered a malicious payload to any unsuspecting user of the relevant Apache service, such as Hadoop, Spark, and Oozie.” This highlights the potential danger that these vulnerabilities posed to organizations using Azure HDInsight.
In response to these vulnerabilities, Microsoft released a security update in August to patch the flaws. However, organizations using Azure HDInsight must still update their instances and apply the fixes. Ben Shitrit advises organizations to create a new cluster with the desired component and the latest platform version that includes the security updates. They would then need to migrate their applications to use the new cluster.
Azure HDInsight is a fully managed, cloud-native open source analytics service used by organizations to manage clusters for Hadoop, Apache Spark, Apache Kafka, and other frameworks in the Azure environment. It allows organizations to scale their big data workloads up or down as needed and create clusters on demand. The service also integrates with Azure Monitor logging, enabling administrators to monitor their clusters through a single interface.
Orca Security discovered six stored XSS flaws and two reflected XSS vulnerabilities in various Apache services on Azure HDInsight. Cross-site scripting flaws occur when a web application or site accepts user input without validating or sanitizing the data first, giving attackers an opportunity to inject malicious code into the website. Stored XSS flaws involve permanently storing the malicious script on the target web server to execute it when a user visits the page. Reflected XSS flaws allow attackers to inject malicious code into a site URL that triggers execution when a user clicks on a link to that URL.
Ben Shitrit revealed that the first XSS flaw discovered by Orca was in Apache Ambari, a Hadoop cluster management technology. They found multiple default parameters in the technology that they could easily modify. This prompted them to search for more vulnerabilities, leading to the discovery of seven additional ones. This ease of finding vulnerabilities in Azure HDInsight through Apache Services in a short period raises significant concerns about the overall security of the service, according to Ben Shitrit.
These findings add to the growing concerns over the security of cloud computing environments provided by Microsoft and other cloud providers. Recently, the Department of Homeland Security initiated an investigation into the security of cloud computing environments due, in part, to a breach of Microsoft’s cloud service that allowed a Chinese threat group to gain access to the networks of 25 organizations.
Microsoft addressed each of the discovered flaws by issuing Common Vulnerabilities and Exposures (CVEs) and assessing them as “important” severity. The company stated that an attacker would require some level of user interaction, such as sending the victim a malicious file that needs to be executed. Additionally, the attacker would need administrator-level privileges to exploit the vulnerabilities fully.
While there are no specific actions organizations can take to make Azure HDInsight more secure, Ben Shitrit recommends following security best practices. These measures include implementing a Content Security Policy (CSP), performing input validation and output encoding, and adhering to the principle of least privilege. By adopting these practices, organizations can reduce their exposure to XSS vulnerabilities in general.
In conclusion, the discovery and subsequent patching of severe vulnerabilities in Apache services in Azure HDInsight have raised concerns about the overall security of Microsoft’s cloud services. While the company has taken steps to address the flaws, organizations using Azure HDInsight must still update their instances to apply the fixes. The ease with which these vulnerabilities were found underscores the importance of following security best practices and regularly applying necessary patches to mitigate the risk of XSS vulnerabilities.