Security news that informs and inspires

Microsoft Discloses Fixed Azure Cosmos DB RCE Flaw


Microsoft has disclosed details on a remote code execution flaw that it had previously fixed in October. The flaw exists in Azure Cosmos DB Jupyter Notebooks, which are leveraged by developers in order to create documents that contain live code, equations, visualizations, and narrative text.

The flaw specifically stems from missing authentication checks in Jupyter Notebooks, which are built into Azure Cosmos DB, Microsoft’s NoSQL database for app development that is utilized both in Microsoft’s e-commerce platforms and in the retail industry in order to store data about products. Researchers with Orca Security in a Tuesday disclosure said the vulnerability, which they termed “CosMiss,” could have enabled unauthenticated users to obtain read and write access to Azure Cosmos DB Notebooks, inject code and overwrite code.

“This is especially risky since Cosmos DB Notebooks are used by developers to create code and often contain highly sensitive information such as secrets and private keys embedded in the code,” said Lidor Ben Shitrit and Roee Sagi, with Orca Security, on Tuesday.

In order to exploit the flaw, an attacker that knows a Jupyter Notebook’s forwardingId - or the UUID of the Notebook Workspace - could gain full permissions to the Jupyter Notebook without needing to authenticate due to the missing authentication checks, said researchers. This includes read and write access and the ability to modify the file system of the container running the Jupyter Notebook, said researchers.

However, there are several caveats that hinder exploitation. For one, the only way to obtain the forwardingId is to open the Jupyter Notebook as an authenticated user. According to Microsoft, the forwadingID is 128bits in length, is randomly generated and is not reused. The forwadingID also expires within one hour, meaning that an attacker must act within the one hour window a session is active, said Microsoft. Orca Security researchers, for their part, argued that the forwardingId is not documented as a secret “so we don’t have any reason to believe that users would treat it as such.”

Researchers also released proof-of-concept (PoC) exploit code for the vulnerability. Microsoft issued patches for the vulnerability on Oct. 6, days after the flaw was disclosed. As part of the fix, each Jupyter Notebook session now requires an authorization taken in the request header, said researchers. Microsoft said in a Tuesday post that no customers were impacted and no action is required since the patch was already pushed out.

“In August 2022, a change in one of the backend APIs used by the AzureCosmos DB Jupyter Notebooks resulted into requests not being authenticated as expected,” said Microsoft. “Microsoft conducted an investigation of log data from August 12th to Oct 6th and did not identify any brute force requests that would indicate malicious activity.”