Skip to main content
Delphix

TB087 An Authenticated Delphix User May Be Granted OS-Level Access on Engines Deployed in Azure

 

 

Alert Type

Security

Impact

FIPS 199 Severity Level: High

CVSS Score: 8.1

Attack Vector (AV): N

Attack Complexity (AC): L

Privileges Required (PR): H

User Interaction (UI): R

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): N

An authenticated Delphix user may be granted Delphix OS-level access, allowing them to circumvent other protections and permissions on the Delphix appliance. 

Contributing Factors

 

 
Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0

 

This issue can only occur on a Delphix Engine that was newly deployed in Azure using one of the susceptible versions listed above. The issue does not exist on engines that were upgraded from a version older than 6.0.0.0. 

When deploying a Delphix Engine in Azure, an Azure administrator must specify credentials for the administrative account. The referenced issue only exists if the Azure administrator created the administrator account with an authentication type of "Password". The issue does not exist if the Azure administrator chose the "SSH Public Key" as the authentication type.

The following Azure CLI command can be used to verify if a Delphix Engine may be susceptible:

$ az vm show -g platform-qa -n name-of-your-azure-vm --query 'osProfile'
{
  "adminPassword": null,
  "adminUsername": "sysadmin",
  "allowExtensionOperations": true,
  "computerName": "name-of-your-azure-vm",
  "customData": null,
  "linuxConfiguration": {
    "disablePasswordAuthentication": false,
    "provisionVmAgent": true,
    "ssh": null
  },
  "requireGuestProvisionSignal": true,
  "secrets": [],
  "windowsConfiguration": null
}

If "adminUsername" matches any username configured on the Delphix Engine (e.g. "sysadmin" or any user created after the Delphix Engine was deployed), and "disablePasswordAuthentication" is false, then your Delphix Engine is susceptible.

Symptoms

When logging into a Delphix Engine via ssh or the console, the user is placed into a bash shell rather than the Delphix CLI.

Relief/Workaround

Customers with a susceptible engine that are concerned that their appliance was compromised by their Azure administrator should consider deleting the Delphix Engine and deploying a new engine running 6.0.6.1 or later.

Resolution

Newly deployed Delphix Engines running 6.0.6.1 in Azure will not be affected by this issue.

Additional Information

N/A

Related Documents

N/A