Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Azure Cosmos DB Flaw Leading to Remote Code Execution

A missing authentication check vulnerability in Azure Cosmos DB could have allowed an attacker to execute arbitrary code remotely, Orca Security warns.

Azure Cosmos DB is a NoSQL database used on e-commerce platforms to store catalog data, and in order processing pipelines for event sourcing.

A missing authentication check vulnerability in Azure Cosmos DB could have allowed an attacker to execute arbitrary code remotely, Orca Security warns.

Azure Cosmos DB is a NoSQL database used on e-commerce platforms to store catalog data, and in order processing pipelines for event sourcing.

The security defect was identified in Azure Cosmos DB Jupyter notebooks, an open-source interactive developer environment (IDE) that allows developers to share documents, live code, visualizations, and more. Built into Azure Cosmos DB, Jupyter notebooks may contain secrets and private keys.

Referred to as CosMiss, the flaw could have allowed an attacker with knowledge of the notebook workspace UUID, also known as ‘forwardingId’, to access the notebook without authentication.

The attacker would have had the ability to modify the container’s file system and achieve remote code execution, Orca says.

The CosMiss vulnerability, Orca explains, could have allowed an attacker to read and write data to a notebook, inject code, and overwrite code. However, the attack would have been possible only if the attacker knew the forwardingId.

“As far as we know, the only way to obtain the forwardingId is to open the Notebook as an authenticated user. The forwardingId is not documented as a secret though, so we don’t have any reason to believe that users would treat it as such,” Orca notes.

While analyzing Cosmos DB, Orca’s security researchers discovered that, although the requests sent by a notebook server in the backend contained an authorization header, it was possible to re-send requests even after removing the header.

This allowed the researchers to list different notebooks for the same server, as well as to read contents and write data to them. Being able to overwrite data on the notebook, the researchers then injected code to create a reverse shell and achieve remote code execution.

Orca reported the vulnerability to Microsoft on October 3. The tech giant patched the issue within two days.

“We verified the fix and can confirm that now all Cosmos DB notebook users require an authorization token in the request header before being able to access a notebook,” Orca says.

In a November 1 blog post, Microsoft explains that the bug was introduced on August 12 when a backend API was modified.

The tech giant also points out that most of its Azure Cosmos DB customers (99.8%) do not use Jupyter notebooks and that successful exploitation would have required an attacker to guess the randomly generated 128bit forwardingId and use it within the one-hour window a session is active.

“Microsoft conducted an investigation of log data from August 12 to Oct 6 and did not identify any brute force requests that would indicate malicious activity,” the company says.

* updated with information from Microsoft

Related: Microsoft Patches Vulnerability Allowing Full Access to Azure Service Fabric Clusters

Related: Microsoft Resolves Padding Oracle Vulnerability in Azure Storage SDK

Related: Azure Service Fabric Vulnerability Can Lead to Cluster Takeover

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.