Azure Cosmos DB Auth Bypass Flaw
Share this:
A newly disclosed vulnerability in Microsoft Azure Cosmos DB called CosMiss was found to open the door to an attacker without needing authentication under certain conditions.
The vulnerability opens if an attacker has knowledge of a Cosmos DB Notebook’s forwardingld, which is the universal unique identifier of the Notebook Workspace. The attacker would have full permissions on the Notebook without having to authenticate, including read-write access, code injection and the ability to overwrite code delivering remote code execution.
Jupyter Notebooks are built into Azure Cosmo DB and are used by developers to perform tasks such as data cleaning, exploration, transformation, and machine learning. The problem is that there was no authentication check on Cosmos DB Jupyter Notebook.
The lack of authentication is risky since the notebooks are used by developers to create code and often contain highly sensitive information, including secrets and private keys.
The researchers created a proof of concept to demonstrate the vulnerability of Cosmos DB through an Azure Table application programming interface and Serverless Capacity mode. The exploit was also validated on Core SQL API and provisioned throughout the deployment. In the proof of concept, the researchers demonstrated how it was possible to overwrite, delete and inject code with the access granted to the notebook.
Before going public with their findings, the researchers reached out to Microsoft Security Response Center, and fixed the critical issue the next day.
This research was documented by researchers from Orca Security
