- Orca Security found a highly important vulnerability on Azure Cosmos DB, where authentication checks were missing from Cosmos DB Notebooks.
- The Orca Security Pod reported it to the Microsoft Security Response Center (MSRC), which fixed the important issue within two days.
- The vulnerability allowed an unauthenticated user to obtain read and write access to Azure Cosmos DB Notebooks, inject code, and overwrite code.
Microsoft fixed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB. The vulnerability was reported by Orca Security and the tech giant thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. According to the announcement, the vulnerability only affects users who are using Jupyter Notebooks, which is approximately 0.2% of Azure Cosmos DB customers.
Azure Cosmos DB Jupyter Notebooks
Orca Security published a post and announced that they found a highly important vulnerability on Azure Cosmos DB and immediately reported it to the Microsoft Security Response Center. It is caused by missing authentication checks from Cosmos DB Notebooks, thus the vulnerability is named CosMiss. It allows an attacker who knows the Notebook’s ‘forwardingId’, which is the UUID of the Notebook Workspace to have full permissions on the Notebook, including read and write access, and the ability to modify the file system of the container running the notebook.
The team managed to modify the container file system to obtain Remote Code Execution in the notebook container. According to the Microsoft’s announcement, the bug was introduced on August 12th and fully patched worldwide on Oct 6th, two days after it was reported. To be able to exploit the vulnerability, attacks would have to guess a 128bit cryptographically random GUID of an active session and use it within an hour.
- The vulnerability was found in Azure Cosmos DB Jupyter Notebooks, Microsoft’s fast NoSQL database which is used extensively in Microsoft’s own e-commerce platforms and in the retail industry for storing catalog data and for event sourcing in order processing pipelines.
- Jupyter Notebooks are built into Azure Cosmos DB, and are used by developers to perform common tasks, such as data cleaning, data exploration, data transformation, and machine learning. During our research, we found that authentication checks were missing from Cosmos DB Jupyter Notebooks.
- This is especially risky since Cosmos DB Notebooks are used by developers to create code and often contain highly sensitive information such as secrets and private keys embedded in the code.
- The ‘CosMiss’ vulnerability allowed an unauthenticated user to obtain read and write access to Azure Cosmos DB Notebooks, inject code, and overwrite code – constituting remote code execution (RCE).
- However, an attacker was only able to take advantage of the vulnerability if they knew the UUID of the Notebook Workspace, also referred to as forwardingId. As far as we know, the only way to obtain the forwardingId is to open the Notebook as an authenticated user. The forwardingId is not documented as a secret though, so we don’t have any reason to believe that users would treat it as such.
- On October 3rd, 2022, Orca Security reported the vulnerability to Microsoft, who fixed and patched the vulnerability within two days – now requiring an Authorization token in the request Header for each notebook session.
Orca Security said,
« To demonstrate the vulnerability, we created a Cosmos DB using the Azure Table API and Serverless Capacity mode. The exploit is also validated on Core SQL API (recommended) and provisioned throughput deployment.
The notebooks feature in Cosmos DB Data Explorer blade allows customers to access and visualize their data using the Jupyter capabilities (in Python, C# or other runtimes). In addition, customers use this feature to examine data from the Cosmos DB combined with other data sources which can be integrated using their APIs. »