Summary
Cosmos DB notebooks lacked an authentication check, meaning that if an attacker
somehow had prior knowledge of a notebook’s temporary ‘forwardingId’ (a 128bit
cryptographically random GUID assigned to a short-lived workspace that expires
after an hour), they could gain full permissions on the notebook, including
read and write access and the ability to modify the file system of the
container running the notebook. These permissions would suffice for an
attacker to obtain remote code execution (RCE) in the notebook container.
However, this would not allow an attacker to execute notebooks, automatically
save notebooks in the victim’s (optionally) connected GitHub repository, or
access data in the Cosmos DB account. Following disclosure, Cosmos DB notebooks
now require an authorization token in the request header before allowing access.
Affected Services
Cosmos DB
Remediation
None required.
Tracked CVEs
No tracked CVEs
References
https://msrc-blog.microsoft.com/2022/11/01/microsoft-mitigates-vulnerability-in-jupyter-notebooks-for-azure-cosmos-db/https://orca.security/resources/blog/cosmiss-vulnerability-azure-cosmos-db/
Contributed by https://github.com/korniko98
Disclosure Date
Tue, Oct 4th, 2022
Exploitablity Period
2022/08/12 - 2022/10/06
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
7.93
(PI:1.5/A1:20/A2:1.1/A7:0.7/A8:1.1)
Discovered by
Lidor Ben Shitrit, Roee Sagi, Orca Security
