Microsoft Fixes Critical RCE Flaw in Azure Cosmos DB

Highlights:

• The researchers released a proof-of-concept (POC) that allowed code execution and published a thorough technical write-up for the problem today.
• The analysts discovered that the server responded appropriately when they requested to display all notebooks on that server without this header, proving that it wasn’t necessary.

Analysts at Orca Security discovered a critical vulnerability in Azure Cosmos DB that permits unauthenticated read and write access to containers.

The security flaw, known as CosMiss, is in Azure Cosmos DB built-in Jupyter Notebooks that can be integrated into the Azure portal and Azure Cosmos DB accounts to query, analyze, and visualize NoSQL data and outcomes.

The completely managed NoSQL database from Microsoft, called Azure Cosmos DB, features extensive API-type support for programs of all kinds. Users can access Cosmos DB data using Jupyter Notebooks, an interactive web application.

The issue discovered by researchers at Orca Security found that Cosmos DB Jupyter Notebooks did not have authentication checks that could ward off unauthorized access and even modify a container if they had the UUID of the Notebook Workspace.

Microsoft was recently informed about Orca’s research findings, and the software maker quickly rectified severe problems in just two days.

The researchers released a proof-of-concept (POC) that allowed code execution and published a thorough technical write-up for the problem today. The exploit is no longer functional because Microsoft has already patched the issue.

Details of CosMiss

A new endpoint and a unique new session/notebook ID are created when a user creates a new Notebook on Azure Cosmos DB (UUIDv4).

The researchers analyzed the traffic of the request from a freshly made notebook to the server and discovered the presence of an Authorization Header.

When the header was removed, and a request was sent to all Notebooks on that server, the analysts discovered that the server responded appropriately, proving that the Authorization Header was not required.

Orca’s analysts discovered they could alter the code in the Notebook, rewrite data, introduce new snippets, or delete them by testing various seemingly legitimate PUT requests with JSON payloads.

Additionally, since the previous operation discloses every Notebook ID on the same platform, the attackers could access and change any of the Notebook IDs.

An attacker can go one step further by modifying the file that creates the Explorer Dashboard by adding Python code and then loading the Cosmos Data Explorer using the Azure interface.

The Python code was automatically run when Data Explorer was loaded, providing the attacker with a reverse shell on the client.

Azure Cosmos DB is a fully managed, serverless distributed database; the fixes are being made on the server. Hence, users do not need to take any action to reduce the risk.

Update 11/1: Microsoft’s Security Response Center also released a study about this repair, underlining that only a tiny proportion of users were negatively affected by the problem.

Microsoft explained, “Customers not using Jupyter Notebooks (99.8% of Azure Cosmos DB customers do NOT use Jupyter notebooks) were not susceptible to this vulnerability.”