A missing authentication check vulnerability in Azure Cosmos DB could have allowed an attacker to execute arbitrary code remotely, Orca Security warns.
Azure Cosmos DB is a NoSQL database used on e-commerce platforms to store catalog data, and in order processing pipelines for event sourcing.
The security defect was identified in Azure Cosmos DB Jupyter notebooks, an open-source interactive developer environment (IDE) that allows developers to share documents, live code, visualizations, and more. Built into Azure Cosmos DB, Jupyter notebooks may contain secrets and private keys.
Referred to as CosMiss, the flaw could have allowed an attacker with knowledge of the notebook workspace UUID, also known as ‘forwardingId’, to access the notebook without authentication.
The attacker would have had the ability to modify the container’s file system and achieve remote code execution, Orca says.
The CosMiss vulnerability, Orca explains, could have allowed an attacker to read and write data to a notebook, inject code, and overwrite code. However, the attack would have been possible only if the attacker knew the forwardingId.
“As far as we know, the only way to obtain the forwardingId is to open the Notebook as an authenticated user. The forwardingId is not documented as a secret though, so we don’t have any reason to believe that users would treat it as such,” Orca notes.
While analyzing Cosmos DB, Orca’s security researchers discovered that, although the requests sent by a notebook server in the backend contained an authorization header, it was possible to re-send requests even after removing the header.
This allowed the researchers to list different notebooks for the same server, as well as to read contents and write data to them. Being able to overwrite data on the notebook, the researchers then injected code to create a reverse shell and achieve remote code execution.
Orca reported the vulnerability to Microsoft on October 3. The tech giant patched the issue within two days.
“We verified the fix and can confirm that now all Cosmos DB notebook users require an authorization token in the request header before being able to access a notebook,” Orca says.
In a November 1 blog post, Microsoft explains that the bug was introduced on August 12 when a backend API was modified.
The tech giant also points out that most of its Azure Cosmos DB customers (99.8%) do not use Jupyter notebooks and that successful exploitation would have required an attacker to guess the randomly generated 128bit forwardingId and use it within the one-hour window a session is active.
“Microsoft conducted an investigation of log data from August 12 to Oct 6 and did not identify any brute force requests that would indicate malicious activity,” the company says.
* updated with information from Microsoft