Article Details

New Azure HDInsight Vulnerabilities Pose Privilege Escalation Threats. Three new security vulnerabilities have been discovered in Azure HDInsight's Apache Hadoop, Kafka, and Spark services that could be exploited to achieve privilege escalation and a regular expression denial-of-service (ReDoS) condition. "The new vulnerabilities affect any authenticated user of Azure HDInsight services such as Apache Ambari and Apache Oozie," Orca security researcher Lidor Ben Shitrit said in a technical report shared with The Hacker News. Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar. The list of flaws is as follows - The two privilege escalation flaws could be exploited by an authenticated attacker with access to the target HDI cluster to send a specially crafted network request and gain cluster administrator privileges. The XXE flaw is the result of a lack of user input validation that allows for root-level file reading and privilege escalation, while the JDBC injection flaw could be weaponized to obtain a reverse shell as root. "The ReDoS vulnerability on Apache Oozie was caused by a lack of proper input validation and constraint enforcement, and allowed an attacker to request a large range of action IDs and cause an intensive loop operation, leading to a denial-of-service (DoS)," Ben Shitrit explained. Successful exploitation of the ReDoS vulnerability could result in a disruption of the system's operations, cause performance degradation, and negatively impact both the availability and reliability of the service. Following responsible disclosure, Microsoft has rolled out fixes as part of updates released on October 26, 2023. The disclosure arrives nearly three months after Orca also detailed a collection of eight flaws in the open-source analytics service that could be exploited for data access, session hijacking, and delivering malicious payloads.