Researchers with the Microsoft Security Response Center (MSRC) and Orca Security drew the covers back this week on a critical vulnerability in Microsoft Azure Cosmos DB that impacts its Cosmos DB Jupyter Notebooks feature. The remote code execution (RCE) bug provides a portrait into how weaknesses in the authentication architecture of cloud-native and machine learning-friendly environments could be used by attackers.
Dubbed CosMiss by Orca's research team, the vulnerability boils down to a misconfiguration in how authorization headers are handled, which let unauthenticated users gain read and write access to Azure Cosmos DB Notebooks, and inject and overwrite code.
"In short, if an attacker had knowledge of a Notebook's 'forwardingId', which is the UUID of the Notebook Workspace, they would have had full permissions on the Notebook, including read and write access, and the ability to modify the file system of the container running the notebook," wrote Lidor Ben Shitrit and Roee Sagi of Orca in a technical run-down of the vulnerability. "By modifying the container file system — aka dedicated workspace for temporary notebook hosting — we were able to obtain RCE in the notebook container."
A distributed NoSQL database, Azure Cosmos DB is designed for supporting scalable, high-performance apps with high availability and low latency. Among its uses are for IoT device telemetry and analytics; real-time retail services to run things like product catalogs and AI-driven personalized recommendations; and globally distributed applications such as streaming services, pick-up and delivery services, and the like.
Meantime, Jupyter Notebooks is an open source interactive developer environment (IDE) used by developers, data scientists, engineers, and business analysts to do everything from data exploration and data cleaning to statistical modeling, data visualization, and machine learning. It's a powerful environment built for creating, executing, and sharing documents with live code, equations, visualizations, and narrative text.
Orca researchers say that this functionality makes a flaw in authentication within Cosmos DB Notebooks particularly risky, since they're "used by developers to create code and often contain highly sensitive information such as secrets and private keys embedded in the code."
The flaw was introduced in late summer, found and disclosed to Microsoft by Orca in early October, and fixed within two days. The patch required no action from customers to roll out due to the distributed architecture of Cosmos DB.