Skip to main content

TB087 An Authenticated Delphix User May Be Granted OS-Level Access on Engines Deployed in Azure




Alert Type



FIPS 199 Severity Level: High

CVSS Score: 8.1

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): H

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): N

An authenticated Delphix user may be granted Delphix OS-level access, allowing them to circumvent other protections and permissions on the Delphix appliance. 

Contributing Factors


Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases


This issue can only occur on a Delphix Engine that was newly deployed in Azure using one of the susceptible versions listed above. The issue does not exist on engines that were upgraded from a version older than 

When deploying a Delphix Engine in Azure, an Azure administrator must specify credentials for the administrative account. The referenced issue only exists if the Azure administrator created the administrator account with an authentication type of "Password". The issue does not exist if the Azure administrator chose the "SSH Public Key" as the authentication type.

The following Azure CLI command can be used to verify if a Delphix Engine may be susceptible:

$ az vm show -g platform-qa -n name-of-your-azure-vm --query 'osProfile'
  "adminPassword": null,
  "adminUsername": "sysadmin",
  "allowExtensionOperations": true,
  "computerName": "name-of-your-azure-vm",
  "customData": null,
  "linuxConfiguration": {
    "disablePasswordAuthentication": false,
    "provisionVmAgent": true,
    "ssh": null
  "requireGuestProvisionSignal": true,
  "secrets": [],
  "windowsConfiguration": null

If "adminUsername" matches any username configured on the Delphix Engine (e.g. "sysadmin" or any user created after the Delphix Engine was deployed), and "disablePasswordAuthentication" is false, then your Delphix Engine is susceptible.


When logging into a Delphix Engine via ssh or the console, the user is placed into a bash shell rather than the Delphix CLI.


Customers with a susceptible engine that are concerned that their appliance was compromised by their Azure administrator should consider deleting the Delphix Engine and deploying a new engine running or later.


Newly deployed Delphix Engines running in Azure will not be affected by this issue.

Additional Information


Related Documents