{"id":201388,"date":"2022-06-14T11:42:59","date_gmt":"2022-06-14T13:42:59","guid":{"rendered":"https:\/\/teknomers.com\/fr\/details-techniques-publies-pour-la-vulnerabilite-rce-synlapse-signalee-dans-microsoft-azure\/"},"modified":"2022-06-14T11:43:00","modified_gmt":"2022-06-14T13:43:00","slug":"details-techniques-publies-pour-la-vulnerabilite-rce-synlapse-signalee-dans-microsoft-azure","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/details-techniques-publies-pour-la-vulnerabilite-rce-synlapse-signalee-dans-microsoft-azure\/","title":{"rendered":"D\u00e9tails techniques publi\u00e9s pour la vuln\u00e9rabilit\u00e9 RCE \u00ab\u00a0SynLapse\u00a0\u00bb signal\u00e9e dans Microsoft Azure"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both\"><\/div>\n<p>Microsoft a incorpor\u00e9 des am\u00e9liorations suppl\u00e9mentaires pour r\u00e9soudre la vuln\u00e9rabilit\u00e9 de s\u00e9curit\u00e9 SynLapse r\u00e9cemment r\u00e9v\u00e9l\u00e9e afin de r\u00e9pondre \u00e0 toutes les <a rel=\"nofollow noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/security\/fundamentals\/isolation-choices\" target=\"_blank\">isolement des locataires<\/a> <a rel=\"nofollow noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-government\/azure-secure-isolation-guidance\" target=\"_blank\">conditions<\/a> dans Azure Data Factory et Azure Synapse Pipelines.<\/p>\n<p>Les derni\u00e8res protections incluent le d\u00e9placement des runtimes d&#8217;int\u00e9gration partag\u00e9s vers des instances \u00e9ph\u00e9m\u00e8res en bac \u00e0 sable et l&#8217;utilisation de jetons \u00e9tendus pour emp\u00eacher les adversaires d&#8217;utiliser un certificat client pour acc\u00e9der aux informations d&#8217;autres locataires.<\/p>\n<p>&#8220;Cela signifie que si un attaquant pouvait ex\u00e9cuter du code sur le <a rel=\"nofollow noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/data-factory\/concepts-integration-runtime\" target=\"_blank\">environnement d&#8217;ex\u00e9cution d&#8217;int\u00e9gration<\/a>il n&#8217;est jamais partag\u00e9 entre deux locataires diff\u00e9rents, donc aucune donn\u00e9e sensible n&#8217;est en danger \u00bb, a d\u00e9clar\u00e9 Orca Security dans un <a rel=\"nofollow noopener\" href=\"https:\/\/orca.security\/resources\/blog\/synlapse-critical-azure-synapse-analytics-service-vulnerability\/\" target=\"_blank\">rapport technique<\/a> d\u00e9taillant le d\u00e9faut.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/backup-gitlab\" target=\"_blank\" title=\"DevOps backup\"><img loading=\"lazy\" decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/05\/Fronton-un-botnet-IoT-russe-concu-pour-mener-des-campagnes.png\" width=\"300\" height=\"250\" \/><\/a><\/div>\n<p>Le probl\u00e8me de haute gravit\u00e9, suivi comme <a rel=\"nofollow noopener\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/ADV220001\" target=\"_blank\">CVE-2022-29972<\/a> (score CVSS\u00a0: 7,8) et divulgu\u00e9 au d\u00e9but du mois dernier, aurait pu permettre \u00e0 un attaquant d&#8217;ex\u00e9cuter une commande \u00e0 distance et d&#8217;acc\u00e9der \u00e0 l&#8217;environnement cloud d&#8217;un autre client Azure.<\/p>\n<p>Initialement signal\u00e9 par la soci\u00e9t\u00e9 de s\u00e9curit\u00e9 cloud le 4 janvier 2022, SynLapse n&#8217;a \u00e9t\u00e9 enti\u00e8rement corrig\u00e9 que le 15 avril, un peu plus de 120 jours apr\u00e8s la divulgation initiale et deux correctifs ant\u00e9rieurs d\u00e9ploy\u00e9s par Microsoft se sont av\u00e9r\u00e9s facilement contournables.<\/p>\n<div class=\"separator\" style=\"clear: both\"><img decoding=\"async\" alt=\"Vuln\u00e9rabilit\u00e9 Azure\" border=\"0\" data-original-height=\"411\" data-original-width=\"728\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/06\/1655214179_963_Details-techniques-publies-pour-la-vulnerabilite-RCE-SynLapse-signalee-dans.jpg\" title=\"Vuln\u00e9rabilit\u00e9 Azure\" \/><\/div>\n<p>&#8220;SynLapse a permis aux attaquants d&#8217;acc\u00e9der aux ressources Synapse appartenant \u00e0 d&#8217;autres clients via un serveur d&#8217;API Azure interne g\u00e9rant les runtimes d&#8217;int\u00e9gration&#8221;, ont d\u00e9clar\u00e9 les chercheurs.<\/p>\n<p>En plus de permettre \u00e0 un attaquant d&#8217;obtenir des informations d&#8217;identification sur d&#8217;autres comptes clients Azure Synapse, la faille a permis de contourner la s\u00e9paration des locataires et d&#8217;ex\u00e9cuter du code sur les machines client cibl\u00e9es ainsi que de contr\u00f4ler <a rel=\"nofollow noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/synapse-analytics\/quickstart-create-workspace\" target=\"_blank\">Espaces de travail Synapse<\/a> et divulguer des donn\u00e9es sensibles \u00e0 d&#8217;autres sources externes.<\/p>\n<p>\u00c0 la base, la question porte sur un cas de <a rel=\"nofollow noopener\" href=\"https:\/\/insightsoftware.com\/trust\/security\/advisories\/redshift-and-athena-driver-vulnerability\/\" target=\"_blank\">injection de commande<\/a> trouv\u00e9 dans le <a rel=\"nofollow noopener\" href=\"https:\/\/www.magnitude.com\/drivers\/redshift-odbc-jdbc\" target=\"_blank\">Magnitude Simba Amazon Redshift Connecteur ODBC<\/a> utilis\u00e9 dans Azure Synapse Pipelines qui pourrait \u00eatre exploit\u00e9 pour obtenir l&#8217;ex\u00e9cution de code sur le runtime d&#8217;int\u00e9gration d&#8217;un utilisateur ou sur le runtime d&#8217;int\u00e9gration partag\u00e9.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/crowdsec-tour-d\" target=\"_blank\" title=\"CyberSecurity\"><img loading=\"lazy\" decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" src=\"https:\/\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ\/s1600\/crowdsec-728.jpg\" width=\"728\" height=\"90\" \/><\/a><\/div>\n<p>Avec ces capacit\u00e9s en main, un attaquant aurait pu vider la m\u00e9moire du processus qui g\u00e8re les connexions externes, divulguant ainsi les informations d&#8217;identification aux bases de donn\u00e9es, serveurs et autres services Azure.<\/p>\n<p>Plus inqui\u00e9tant encore, un certificat client contenu dans le runtime d&#8217;int\u00e9gration partag\u00e9 et utilis\u00e9 pour l&#8217;authentification aupr\u00e8s d&#8217;un serveur de gestion interne pourrait \u00eatre utilis\u00e9 comme arme pour acc\u00e9der aux informations relatives \u00e0 d&#8217;autres comptes clients.<\/p>\n<p>En reliant le bogue d&#8217;ex\u00e9cution de code \u00e0 distance et l&#8217;acc\u00e8s au certificat du serveur de contr\u00f4le, le probl\u00e8me a effectivement ouvert la porte \u00e0 l&#8217;ex\u00e9cution de code sur n&#8217;importe quel runtime d&#8217;int\u00e9gration sans rien conna\u00eetre d&#8217;autre que le nom d&#8217;un espace de travail Synapse.<\/p>\n<p>&#8220;Il convient de noter que la principale faille de s\u00e9curit\u00e9 n&#8217;\u00e9tait pas tant la capacit\u00e9 d&#8217;ex\u00e9cuter du code dans un environnement partag\u00e9 que les implications d&#8217;une telle ex\u00e9cution de code&#8221;, ont not\u00e9 les chercheurs.<\/p>\n<p>&#8220;Plus pr\u00e9cis\u00e9ment, le fait qu&#8217;un RCE sur le runtime d&#8217;int\u00e9gration partag\u00e9 nous permette d&#8217;utiliser un certificat client donnant acc\u00e8s \u00e0 un puissant serveur d&#8217;API interne. Cela a permis \u00e0 un attaquant de compromettre le service et d&#8217;acc\u00e9der aux ressources d&#8217;autres clients.&#8221;<\/p>\n<p><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2022\/06\/technical-details-released-for-synlapse.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft a incorpor\u00e9 des am\u00e9liorations suppl\u00e9mentaires pour r\u00e9soudre la vuln\u00e9rabilit\u00e9 de s\u00e9curit\u00e9 SynLapse r\u00e9cemment r\u00e9v\u00e9l\u00e9e afin de r\u00e9pondre \u00e0 toutes les isolement des locataires conditions dans Azure Data Factory et Azure Synapse Pipelines. Les derni\u00e8res protections incluent le d\u00e9placement des runtimes d&#8217;int\u00e9gration partag\u00e9s vers des instances \u00e9ph\u00e9m\u00e8res en bac \u00e0 sable et l&#8217;utilisation de jetons [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":201389,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[21082,4168,4158,4165,4161,429,5664,4157,4159,4171,4170,4167,8362,4160,4163,4162,185,15955,22778,4172,4169,9499,78192,7447,4166,3667,4164],"class_list":["post-201388","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-azure","tag-comment-pirater","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-dans","tag-details","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-logiciel-malveillant-de-ransomware","tag-microsoft","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-pour","tag-publies","tag-rce","tag-securite-informatique","tag-securite-internet","tag-signalee","tag-synlapse","tag-techniques","tag-violation-de-donnees","tag-vulnerabilite","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/201388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=201388"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/201388\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/201389"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=201388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=201388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=201388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}