A newly disclosed vulnerability in Microsoft Corp.’s Azure Cosmos DB was found to open the door to an attacker without needing authentication under certain conditions.
Detailed today by security researchers at Orca Security Ltd., the vulnerability has been dubbed “CosMiss.” The vulnerability opens up if an attacker has knowledge of a Cosmos DB Notebook’s “forwardingld,” which is the universal unique identifier of the Notebook Workspace. With this knowledge, the attacker would have full permissions on the Notebook without having to authenticate, including read-write access, code injection and the ability to overwrite code delivering remote code execution.
Azure Cosmo DB is Microsoft’s fast NoSQL database and is used by Microsoft in its own e-commerce platforms and by the retail industry for storing catalog data. Jupyter Notebooks are built into Azure Cosmo DB and are used by developers to perform tasks such as data cleaning, exploration, transformation and machine learning. The problem is that there was no authentication check on Cosmos DB Jupyter Notebook.
The lack of authentication is described by the researchers as being especially risky since the notebooks are used by developers to create code and often contain highly sensitive information, including secrets and private keys.
The researchers created a proof of concept to demonstrate the vulnerability of Cosmos DB through an Azure Table application programming interface and Serverless Capacity mode. The exploit was also validated on Core SQL API and provisioned throughout the deployment. In the proof of concept, the researchers demonstrated how it was possible to overwrite, delete and inject code with the access granted to the notebook.
Before going public with their findings, the Orca researchers reached out to Microsoft Security Response Center, who fixed the critical issue the next day.
In the words of the researchers, the response was “impressive and a much faster response than the SynLapse vulnerability we discovered in Azure SynLapse.” The SynLapse vulnerability was discovered by Orca in January and took until April to fix properly.
Avi Shua (pictured, right), the co-founder and chief executive officer of Orca, spoke with theCUBE, SiliconANGLE Media’s livestreaming studio in November 2021 on the security risks presented by the gradual shift from on-premises computing to the cloud environment: