Microsoft, already under scrutiny for its cloud security practices, recently patched as many as eight severe vulnerabilities in various Apache services in Azure HDInsight — the software giant's managed big data analytics service.
The relatively little effort that it took to find the flaws raises questions about the overall security of the service, according to researchers from Orca Security, who found the flaws.
All discovered vulnerabilities were cross-site scripting (XSS) issues that posed a significant risk to data and user privacy. An attacker could have exploited the vulnerabilities to hijack Web sessions and put user data at risk, the security vendor said.
"With any of these XSS vulnerabilities, an attacker could have delivered a malicious payload to any unsuspecting user of the relevant Apache service, such as Hadoop, Spark, and Oozie," says Lidor Ben Shitrit, cloud security researcher at Orca Security.
Microsoft patched the flaws in its August monthly security update. However, organizations must still update their Azure HDInsight instances to apply the fixes. "HDInsight doesn't support in-place upgrades, so users must create a new cluster with the desired component and latest platform version that includes the security updates," Ben Shitrit says. Next, they’ll have to migrate their applications to use the new cluster."
Azure HDInsight is a fully managed, cloud-native open source analytics service that organizations use to manage clusters for Hadoop, Apache Spark, Apache Kafka, and other frameworks in the Azure environment. The technology allows organizations to scale their big data workloads up or down as needed and create clusters on demand. It also integrates with the Azure Monitor logging feature so admins can monitor their clusters via a single interface.
Stored & Reflected XSS Flaws
Six of the XSS vulnerabilities that Orca discovered in various Apache services on Azure HDInsight are termed stored XSS flaws, and the other two are reflected XSS vulnerabilities. Cross-site scripting flaws basically occur when a Web application or site accepts user input — comments, for example — and then displays it on a webpage without properly validating or sanitizing the data first. The flaws give attackers an opportunity to inject malicious code into a website that then is executed in the victim's browser when they visit the site.
With a stored XSS flaw, the malicious script is permanently stored on the target Web server and executed every time a user visits the page. A reflected XSS flaw, on the other hand, allows an attacker to inject malicious code into the site URL that executes immediately when a user clicks on a link to that URL. XSS flaws have consistently figured in the Open Web Application Security Project (OWASP) list of common vulnerabilities for years.
Ben Shitrit says the first XSS flaw that Orca discovered in Azure HDInsight was in a Hadoop cluster management technology called Apache Ambari. Orca researchers discovered they were multiple default parameters in the technology that they could modify in a relatively straightforward manner. Surprised at how easy it was, they looked around the see if they could find more.
Azure Bugs, Simple to Find
"In summary, the first XSS vulnerability that we found in Apache Ambari Background Operations was surprisingly simple," Ben Shitrit says. "Armed with this knowledge we knew that if we dug deeper, we'd probably find more, which is how we ended up finding seven additional ones.” The fact that Orca was able to uncover eight XSS vulnerabilities in Azure HDInsight via Apache Services in a few days calls into question the overall security of the service, he says.
Concerns over the security of Microsoft's cloud security services — and that of other cloud providers have been growing in recent months. The Department of Homeland Security earlier this month launched an investigation into the security of cloud computing environments triggered at least partly by a breach of Microsoft's cloud service earlier, which allowed a Chinese threat group to gain access to networks of 25 organizations.
Microsoft issued CVEs for each of the flaws and assessed them as being of "important" severity, which is a designation that is a step lower from "critical." The company described each of the flaws as issues that an attacker would be able to exploit only with some level of user interaction. "An attacker would have to send the victim a malicious file that the victim would have to execute," Microsoft said, adding that the attacker would need to have administrator level privileges to be able to exploit the flaws.
Ben Shitrit says there's not a whole lot that organizations can do that is specific to Azure HDInsight to make it more secure, other than to always apply Microsoft's patches for the technology.
"But by following security best practices, such as implementing a Content Security Policy (CSP), performing input validation and output encoding, as well as adhering to the principle of least privilege, they can reduce their exposure to XSS vulnerabilities in general," he says.