Researchers from the Microsoft Security Response Center (MSRC) and Orca Security this week disclosed a critical vulnerability in Microsoft Azure Cosmos DB that affects its Cosmos DB Jupyter Notebooks functionality. The Remote Code Execution (RCE) bug provides a portrait of how weaknesses in the authentication architecture of cloud-native and machine-learning-enabled environments could be exploited by attackers.
Dubbed CosMiss by Orca’s research team, the vulnerability boils down to a misconfiguration in the way authorization headers are handled, allowing unauthenticated users to read and write to Azure Cosmos DB notebooks, and to inject and overwrite code.
“In short, if an attacker had knowledge of a laptop’s ‘forwardingId’, which is the UUID of the Notebook workspace, they would have had all permissions on the laptop, including online access. read and write, and the ability to modify the filesystem of the container running the laptop,” Orca’s Lidor Ben Shitrit and Roee Sagi wrote in a technical overview of the vulnerability. “By modifying the filesystem of the container – i.e. a workspace dedicated to temporarily housing the laptops – we were able to get RCE into the laptops container.”
A distributed NoSQL database, Azure Cosmos DB is designed to support scalable, high-performance applications with high availability and low latency. Among its uses are telemetry and analysis of IoT devices; real-time retail services to run things like product catalogs and AI-powered personalized recommendations; and globally distributed applications such as streaming services, collection and delivery services, etc.
Meanwhile, Jupyter Notebooks is an open-source interactive development environment (IDE) used by developers, data scientists, engineers, and business analysts to do everything from data exploration and cleaning to statistical modeling, data visualization and machine learning. It is a powerful environment designed to create, run and share documents with live code, equations, visualizations and narrative text.
Orca researchers say this feature makes an authentication flaw in Cosmos DB laptops particularly risky, as they are “used by developers to create code and often contain very sensitive information such as secrets and keys. privacy embedded in the code”.
The flaw was introduced in late summer, discovered and disclosed to Microsoft by Orca in early October, and patched within two days. The fix did not require any customer action for its deployment due to the distributed architecture of Cosmos DB.