Three significant security vulnerabilities have been identified in Microsoft Azure Data Factory’s Apache Airflow integration by cybersecurity researchers at Palo Alto Networks Unit 42. These flaws, though rated as low severity by Microsoft, could potentially enable attackers to gain unauthorized administrative access and control over the entire Airflow Azure Kubernetes Service (AKS) cluster.
The identified vulnerabilities include:
1. Misconfigured Kubernetes RBAC in Airflow cluster
2. Misconfigured secret handling of Azure’s internal Geneva service
3. Weak authentication for Geneva
Attack Methodology:
– Attackers could exploit these vulnerabilities by uploading malicious DAG files to connected private GitHub repositories
– Access could be gained through compromised service principals, SAS tokens, or leaked Git credentials
– Once inside, attackers could deploy privileged pods and gain root access to host virtual machines
Security Implications:
– Potential for unauthorized cluster administration
– Ability to manipulate log data through Geneva service
– Risk of data exfiltration and malware deployment
– Possible tampering with storage accounts and event hubs
Additional Findings:
– Datadog Security Labs revealed a privilege escalation vulnerability in Azure Key Vault
– Users with Key Vault Contributor roles could potentially access restricted vault contents
– Amazon Bedrock CloudTrail logging issues were identified, making it difficult to detect malicious LLM queries
Microsoft has updated its documentation to address these security concerns and emphasize the importance of limiting Contributor role access to prevent unauthorized access to key vaults and sensitive data.