A missing authentication check vulnerability in Azure Cosmos DB could have allowed an attacker to execute arbitrary code remotely, Orca Security warns.
Azure Cosmos DB is a NoSQL database used on e-commerce platforms to store catalog data, and in order processing pipelines for event sourcing.
The security defect was identified in Azure Cosmos DB Jupyter notebooks, an open-source interactive developer environment (IDE) that allows developers to share documents, live code, visualizations, and more. Built into Azure Cosmos DB, Jupyter notebooks may contain secrets and private keys.
Referred to as CosMiss, the flaw could have allowed an attacker with knowledge of the notebook workspace UUID, also known as ‘forwardingId’, to access the notebook without authentication.
The attacker would have had the ability to modify the container’s file system and achieve remote code execution, Orca says.
The CosMiss vulnerability, Orca explains, could have allowed an attacker to read and write data to a notebook, inject code, and overwrite code. However, the attack would have been possible only if the attacker knew the forwardingId.
“As far as we know, the only way to obtain the forwardingId is to open the Notebook as an authenticated user. The forwardingId is not documented as a secret though, so we don’t have any reason to believe that users would treat it as such,” Orca notes.
While analyzing Cosmos DB, Orca’s security researchers discovered that, although the requests sent by a notebook server in the backend contained an authorization header, it was possible to re-send requests even after removing the header.
This allowed the researchers to list different notebooks for the same server, as well as to read contents and write data to them. Being able to overwrite data on the notebook, the researchers then injected code to create a reverse shell and achieve remote code execution.
Orca reported the vulnerability to Microsoft on October 3. The tech giant patched the issue within two days.
“We verified the fix and can confirm that now all Cosmos DB notebook users require an authorization token in the request header before being able to access a notebook,” Orca says.