Orca [7] [8], a security firm, recently discovered three high-risk vulnerabilities in Microsoft Azure’s HDInsight big-data analytics service [1] [3]. These vulnerabilities pose a significant risk and have been promptly addressed by Microsoft.
Description
Orca identified three vulnerabilities in Microsoft Azure’s HDInsight big-data analytics service [1] [3]. The first vulnerability is a denial-of-service (DoS) bug that could potentially lead to a denial-of-service condition. The other two vulnerabilities are privilege escalation bugs that allow authenticated users to gain unauthorized administrative access and perform operations on sensitive data.
One of the privilege escalation bugs specifically affects Apache Ambari [1] [3], a tool for deploying and managing Apache Hadoop clusters [1] [3]. It allows attackers to escalate from regular user privileges to root access by manipulating the Java Database Connectivity (JDBC) endpoint. The other two vulnerabilities are related to Apache Oozie [1] [3], a workflow scheduler for Hadoop [1] [3]. One vulnerability allows for XML External Entity (XXE) injection attacks [1] [3], while the other can cause performance degradation by requesting logs for a specific job [1]. Additionally, there is a Regular Expression Denial-of-Service (ReDoS) vulnerability.
Microsoft promptly addressed all three issues in their security update on October 26th, released by the Microsoft Service Response Center (MSRC) [7]. The vulnerabilities discovered in Azure HDInsight’s Apache Hadoop [2] [4] [5] [6], Kafka [2] [4] [5] [6] [7] [8], and Spark services could potentially lead to privilege escalation and denial of service (DoS) conditions caused by regular expression denial of service (ReDoS) [5]. Authenticated users could exploit these vulnerabilities by sending specially crafted network requests to gain unauthorized cluster administrator privileges [5]. The privilege escalation vulnerabilities include XML External Entity (XXE) injection and Java Database Connectivity (JDBC) injection [4] [5] [6], which allow for file reading and privilege escalation at the root level [5]. The ReDoS vulnerability occurs due to insufficient input validation and enforcement of constraints [5], allowing attackers to request a large number of action IDs and cause intensive loop operations [5], potentially resulting in DoS conditions [5]. These vulnerabilities could lead to system interruptions [5], performance degradation [1] [3] [5], and decreased availability and reliability of services [5].
HDInsight users are advised to implement the latest patch [1], as in-place upgrades are not supported [1]. Users must create a new cluster with the latest platform version and updates and migrate their old cluster to the new one [1].
Conclusion
The prompt response from Microsoft in addressing these vulnerabilities is commendable. By implementing the latest patch and migrating to a new cluster, HDInsight users can mitigate the risks associated with these vulnerabilities. However, this development highlights the importance of ongoing vigilance and regular security updates to ensure the availability and reliability of services. Additionally, it underscores the need for robust security controls and authentication measures to prevent potential abuse risks in cloud-based analytics services.
References
[1] https://ciso2ciso.com/microsoft-azure-hdinsight-bugs-expose-big-data-to-breaches-source-www-darkreading-com/
[2] https://thehackernews.com/2024/02/high-severity-flaws-found-in-azure.html
[3] https://www.darkreading.com/cloud-security/microsoft-azure-hdinsight-bugs-expose-big-data-to-breaches/
[4] https://www.redpacketsecurity.com/experts-detail-new-flaws-in-azure-hdinsight-spark-kafka-and-hadoop-services/
[5] https://innovatopia.jp/cyber-security/cyber-security-news/11242/
[6] https://vulners.com/thn/THN:4C9A653A7D6AA9A768CC76CB84B4D425
[7] https://orca.security/resources/blog/azure-hd-insight-vulnerabilities-privilege-escalation/
[8] https://www.techidee.nl/experts-beschrijven-nieuwe-tekortkomingen-in-azure-hdinsight-spark-kafka-en-hadoop-services/5213/
