Three flaws were recently uncovered in Microsoft’s Azure-based data integration service that could potentially give attackers administrative control over companies’ Azure cloud infrastructures. These vulnerabilities, discovered by researchers at Palo Alto Networks’ Unit 42, specifically affected Azure Data Factory’s Apache Airflow integration. This integration allows users to manage data pipelines when moving information between different sources, while Apache Airflow facilitates the scheduling and orchestration of complex workflows.
While Microsoft initially classified these flaws as low-severity vulnerabilities, Unit 42 researchers found that exploiting them successfully could enable an attacker to gain persistent access as a shadow administrator over the entire Airflow Azure Kubernetes Service (AKS) cluster. As outlined in a blog post published by Unit 42 on December 17, the vulnerabilities included misconfigured Kubernetes role-based access control in the Airflow cluster, mishandling of Azure’s internal Geneva service secrets, and weak authentication for Geneva.
The researchers explained that the flaws allowed attackers to manipulate the Airflow cluster and related infrastructure, potentially tamper with log data, and access other sensitive Azure resources. The importance of managing service permissions and monitoring the operations of critical third-party services within a cloud environment to prevent unauthorized access to a cluster was highlighted by these vulnerabilities.
Unit 42 promptly informed Microsoft Azure of the flaws, which were then addressed by the Microsoft Security Response Center. Although the exact fixes implemented to mitigate the vulnerabilities were not disclosed, it is crucial to acknowledge the swift response from Microsoft in resolving the security concerns.
In another development, the researchers detailed how cyber attackers could gain initial administrative access through unauthorized write permissions to directed acyclic graph (DAG) files used by Apache Airflow. DAG files define the workflow structure in Python code, specifying task execution sequences, dependencies, and scheduling rules. Attackers could exploit write permissions to storage accounts containing DAG files or utilize shared access signatures to tamper with these files, enabling them to execute malicious actions once imported by the victim.
Additionally, attackers could target Git repositories using leaked credentials or misconfigured repositories to create or modify DAG files for unauthorized activities. By manipulating compromised DAG files, attackers could execute code that grants them reverse shell access, ultimately leading to them gaining cluster admin privileges. This escalation of attacks could result in unauthorized access, data exfiltration, and exploitation of other cloud services within the Azure environment.
The vulnerabilities and exploit scenarios underscore the importance of extending cloud security measures beyond individual clusters to safeguard the entire cloud environment. It is essential to secure permissions, configurations, and data assets within the cloud, as well as to implement policy and audit engines to detect and prevent security incidents. By understanding and securing service dependencies, enterprises can better protect their cloud infrastructure from potential cyber threats.
Overall, these findings serve as a critical reminder for organizations to prioritize comprehensive cloud security strategies to mitigate risks associated with potential vulnerabilities and unauthorized access within cloud environments.