medium

CosMiss

Published Tue, Nov 1st, 2022
Platforms

Summary

Cosmos DB notebooks lacked an authentication check, meaning that if an attacker somehow had prior knowledge of a notebook’s temporary ‘forwardingId’ (a 128bit cryptographically random GUID assigned to a short-lived workspace that expires after an hour), they could gain full permissions on the notebook, including read and write access and the ability to modify the file system of the container running the notebook. These permissions would suffice for an attacker to obtain remote code execution (RCE) in the notebook container. However, this would not allow an attacker to execute notebooks, automatically save notebooks in the victim’s (optionally) connected GitHub repository, or access data in the Cosmos DB account. Following disclosure, Cosmos DB notebooks now require an authorization token in the request header before allowing access.

Affected Services

Cosmos DB

Remediation

None required.

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Tue, Oct 4th, 2022
Exploitablity Period
2022/08/12 - 2022/10/06
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Lidor Ben Shitrit, Roee Sagi, Orca Security