Researchers from Microsoft Security Response Center (MSRC) and Orca Security unveiled a critical vulnerability in Microsoft Azure Cosmos DB this week that impacts its Cosmos DB Jupyter Notebooks functionality. The Remote Code Execution (RCE) bug provides a picture of how the weaknesses in the authentication architecture of cloud-native and machine learning-friendly environments could be used by attackers.
Dubbed CosMiss by the Orca research team, the vulnerability boils down to misconfiguration in the way authorization headers are handled, which allows unauthenticated users to gain read and write access to Azure Cosmos DB notebooks and to insert and overwrite code.
“In short, if an attacker were aware of a Notebook’s ‘forwardingId’, which is the UUID of the Workspace Notebook, they would have full permissions on the Notebook, including read and write access, and the ability to change the file system of the container running the notebook, “wrote Lidor Ben Shitrit and Roee Sagi of Orca in a technical report on the vulnerability. “By modifying the container file system, also known as the dedicated workspace for temporary notebook hosting, we were able to get RCE into the notebook container.”
A distributed NoSQL database, Azure Cosmos DB is designed to support scalable, high-performance apps with high availability and low latency. Among its uses are telemetry and IoT device analysis; real-time retail services to manage things like product catalogs and personalized AI-powered recommendations; and globally distributed applications such as streaming services, collection and delivery services, and the like.
Meanwhile, Jupyter Notebooks is an open source interactive development environment (IDE) used by developers, data scientists, engineers and business analysts to perform everything from data exploration and cleansing to statistical modeling, data visualization and machine learning. It is a powerful environment built to create, run and share documents with live code, equations, visualizations and narrative text.
Orca researchers say this feature makes an authentication flaw within Cosmos DB notebooks particularly risky, as they are “used by developers to create code and often contain highly sensitive information such as secrets and private keys embedded in the code.”
The flaw was introduced in late summer, found and disclosed to Microsoft by Orca in early October, and fixed within two days. The patch required no customer action for implementation due to the distributed architecture of Cosmos DB.