Cybersecurity researchers have identified three security vulnerabilities within Microsoft’s Azure Data Factory’s integration with Apache Airflow. If exploited, these vulnerabilities could potentially allow attackers to carry out covert activities, including data exfiltration and the deployment of malware.
According to an analysis by Palo Alto Networks Unit 42, these flaws could provide attackers with persistent access, functioning as shadow administrators over the entire Airflow environment on Azure’s Kubernetes service.
Despite being classified as low severity by Microsoft, the vulnerabilities include:
- Misconfigured Kubernetes Role-Based Access Control (RBAC) in the Airflow cluster.
- Improper handling of secrets within Azure’s internal Geneva service.
- Weak authentication protocols for the Geneva service.
An attacker exploiting these vulnerabilities could not only gain unauthorized access but also manipulate log data or create false logs to avoid detection while establishing new pods or accounts.
The attacker’s initial strategy involves crafting a directed acyclic graph (DAG) file and uploading it to a connected private GitHub repository. They might also alter an existing DAG file to launch a reverse shell to an external server once imported. Achieving this would require the threat actor to obtain write permissions to the storage account housing the DAG files through a compromised service principal or via a shared access signature (SAS) token. Alternatively, they could gain access to a Git repository utilizing leaked credentials.
Initially, the acquired shell would operate under minimal permissions as the Airflow user within a Kubernetes pod. However, further investigation revealed a service account linked to the Airflow runner pod that possessed cluster-admin permissions. This misconfiguration, compounded by the pod’s accessibility over the internet, enabled the attacker to download the Kubernetes command-line tool, kubectl, thereby taking full control of the cluster by deploying a privileged pod and breaking out onto the underlying node.
With root access to the host virtual machine (VM), the attacker could delve deeper into the cloud environment and gain undetected access to Azure-managed internal resources, such as Geneva, which offers write permissions to certain storage accounts and event hubs.
Researchers Ofir Balassiano and David Orlovsky emphasized that such a sophisticated attacker could significantly modify a vulnerable Airflow environment, creating new pods and service accounts or altering cluster nodes while manipulating logs sent to Geneva without raising alarms.
This incident underscores the necessity of stringent service permission management to obstruct unauthorized access while also highlighting the importance of monitoring critical third-party services.
This disclosure coincides with Datadog Security Labs’ report detailing a privilege escalation risk in Azure Key Vault. The report pointed out that users with the Key Vault Contributor role could read or modify sensitive information stored in Key Vault, including API keys and authentication certificates. Despite lacking direct access over a key vault configured with access policies, it was found that these users could add themselves to the access policies, effectively bypassing restrictions.
Microsoft has since updated its documentation to stress the importance of limiting Contributor role access to key vaults under the Access Policy permission model to mitigate unauthorized access.
The article also discusses a separate concern regarding Amazon Bedrock’s CloudTrail logging, which incorrectly logs failed API calls similarly to successful ones, lacking specific error codes and hindering detection efforts.
This highlights the continuing need for vigilant security practices in cloud environments to safeguard against emerging threats.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.