Analysts at Orca Security have found a critical vulnerability affecting Azure Cosmos DB that allowed unauthenticated read and write access to containers.
Named CosMiss, the security issue is in Azure Cosmos DB built-in Jupyter Notebooks that integrate into the Azure portal and Azure Cosmos DB accounts for querying, analyzing, and visualizing NoSQL data and results easier.
Azure Cosmos DB is Microsoft’s fully managed NoSQL database that features broad API type support for applications of all sizes. Jupyter Notebooks is a web-based interactive platform that allows users to access Cosmos DB data.
The issue that researchers at Orca Security discovered is that Cosmos DB Jupyter Notebooks lacked authentication checks that prevented unauthorized access, and even modify a container, if they had the UUID of the Notebook Workspace.
“If an attacker had knowledge of a Notebook’s ‘forwardingId’, which is the UUID of the Notebook Workspace, they would have had full permissions on the Notebook without having to authenticate, including read and write access” – Orca Security
Orca’s researchers reported their findings to Microsoft on October 3, 2022, and the software vendor fixed the critical issues within two days, on October 5, 2022.
The researchers today published a detailed technical write-up for the flaw and provided a proof-of-concept (PoC) that allowed code execution. The exploit no longer works, since Microsoft already released a fix.
When a user creates a new Notebook on Azure Cosmos DB, a new endpoint is created along with a unique new session/notebook ID (UUIDv4).
The researchers reviewed the traffic of the request from a newly created notebook to the server and noticed the existence of an Authorization Header.
When they removed this header and sent a request to list all Notebooks on that server, the analysts noticed that the server responded normally, so the Authorization Header wasn’t required.
By trying out other types of otherwise valid PUT requests containing JSON payloads, Orca’s analysts found out they could modify the code in the Notebook, overwrite data, inject new snippets, or delete them.
Also, since the previous command discloses all Notebook IDs on the same platform, the attackers would be in a position to access and modify any of them.
To take things one step further, an attacker can modify the file that builds the Explorer Dashboard by injecting Python code and then load the Cosmos Data Explorer via the Azure interface.
When Data Explorer is loaded, the Python code executed automatically, giving the attacker a reverse shell on the client.
Since Azure Cosmos DB is a fully managed, serverless distributed database, the fixes are taking place on the server side, so users don’t need to take any action to mitigate the risk.
Update 11/1: Microsoft’s Security Response Center has also published a report about this fix, highlighting that only a very small percentage of users were practically impacted by the issue.
“Customers not using Jupyter Notebooks (99.8% of Azure Cosmos DB customers do NOT use Jupyter notebooks) were not susceptible to this vulnerability,” explains Microsoft.