Cyber security company Tenable Security said it found two bugs in Microsoft Azure analytics software and complained the tech giant didn’t follow industry standards in declaring the patch to other users.
Tenable claimed that Microsoft patched one bug in its Synapse Analytics platform without telling users, and left the other unpatched, according to the company’s blog. Synapse Analytics is a machine learning and data aggregation platform that runs on Apache Spark with limited permissions.
Actively exploited Windows vulnerability reaches peak severity when paired with popular attack The most exploited cyber security vulnerabilities Windows Server admins say latest Patch Tuesday broke authentication policies Microsoft's massive 145-vulnerability Patch Tuesday fixes ten critical exploits
The security company found a privilege escalation flaw that allowed a user to escalate privileges to that of the root user within the context of a Spark VM. The other flaw allowed a user to poison the hosts file on all nodes in their Spark pool which allows a user to redirect subsets of traffic and snoop on services users generally don’t have access to. The full privilege escalation flaw has been addressed, said Tenable, but the hosts file poisoning flaw remained unpatched when the blog post was published.
Tenable underlined that many of the keys, secrets, and services accessible via these attacks have traditionally allowed further lateral movement and potential compromise of Microsoft-owned infrastructure. This could lead to a compromise of other customers’ data, it added. However, for Synapse Analytics, root user access is limited to their own Spark pool so access to resources outside of this would require additional vulnerabilities to be chained and exploited.
The cyber security company rated the issue as critical severity, although said that Microsoft considered the issue a low severity defence-in-depth improvement.
Tenable complained that there was some kind of disconnect between the Microsoft Security Response Center (MSRC) and the development team behind Synapse Analytics. The company had to reach out via Twitter to get a response despite requesting status updates via emails and the researcher portal.
“During the disclosure process, Microsoft representatives initially seemed to agree that these were critical issues,” detailed Tenable’s blog post. “A patch for the privilege escalation issue was developed and implemented without further information or clarification being required from Tenable Research. This patch was also made silently and no notification was provided to Tenable. We had to discover this information for ourselves.”
The cyber security company added that MSRC began attempting to downplay the issue and classified it as a best practice recommendation instead of a security issue. It wasn’t until Tenable notified MSRC of its intent to publish its findings that the Microsoft teams acknowledged that issues were security related.
“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” said Amit Yoran, chairman and CEO of Tenable, in a LinkedIn post. “To date, Microsoft customers have not been notified.”
RELATED RESOURCE
CIAM buyer’s guide
Finding the right CIAM solution to capture & retain customers, fuel business growth and keep customers safe
Yoran called it a repeated pattern of behaviour, pointing to how other security companies have written about their vulnerability notification interactions with Microsoft, and the tech giant’s dismissive attitude about the risk that vulnerabilities present to their customers. He highlighted how Orca Security, Wiz, Positive Security and Fortinet published prime examples, with the latter covering the security disaster known as “Follina”.
“For an IT infrastructure provider or a cloud service provider that is not being transparent, the stakes are raised exponentially,” said Yoran. “Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”
“We addressed the issues that Tenable reported to us and no customer action is required,” a Microsoft spokesperson told IT Pro.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
The future of huddles: Speaking to your workforce in the hybrid eraSponsored Working practices have changed, and so have the ways we communicate across our businesses
-
Slack adds multi-person screen sharing features to HuddlesNews New co-working functions and live cursor features aim to boost virtual collaboration on the comms platform
-
What we know about One Outlook so farNews One Outlook, known internally as Project Monarch, has been mostly kept under wraps by Microsoft
-
Enabling the future of work with embedded real-time communicationWhitepaper A new dimension of human interaction is coming to digital work
-
Slack ends support for Russian usersNews A string of international sanctions prompted Slack to revoke access to its platform without warning
-
Google to kill off Currents in favour of a more integrated WorkspaceNews The Google Plus replacement meets its end just two years after launching
-
Microsoft Teams now uses 50% less power than when it first launchedNews It has been a long-term goal of Microsoft to make the Team experience equitable across high and low-performance hardware
-
Microsoft Teams introduces 'Essentials' tier for small businessesNews The tech giant appears to identify a gap in the collaboration software market with SMB-focused Teams tier
