Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration
1 min read
Summary
Research by security company, Palo Alto Networks, disclosed vulnerabilities in Azure Data Factory and Apache Airflow that can give attackers full control over managed Airflow deployments, on a single-tenant basis.
Attackers can exploit flaws in Azure’s internal Geneva service to gain unauthorized write permissions to a directed acyclic graph (DAG) file, or by using a compromised service principal.
These flaws can provide attackers with shadow admin control over Azure infrastructure, which could lead to data exfiltration, malware deployment, and unauthorized data access.
The researchers alerted Azure to these vulnerabilities and demonstrated how an attacker could exploit them, starting with the uploading of a malicious DAG file to a private GitHub repository connected to the Airflow cluster.
This gave the researchers access to the cluster’s admin privileges, enabling them to gain full control over the entire cluster.
Azure issued a statement saying the findings were isolated to the researcher’s cluster, but the fact that the managed Airflow used default, unchangeable configurations and the cluster admin role attached to the Airflow runner caused a security issue.