CosMiss
Published Tue, Nov 1st, 2022
Platforms
Summary
Cosmos DB notebooks lacked an authentication check, meaning that if an attacker somehow had prior knowledge of a notebook’s temporary ‘forwardingId’ (a 128bit cryptographically random GUID assigned to a short-lived workspace that expires after an hour), they could gain full permissions on the notebook, including read and write access and the ability to modify the file system of the container running the notebook. These permissions would suffice for an attacker to obtain remote code execution (RCE) in the notebook container. However, this would not allow an attacker to execute notebooks, automatically save notebooks in the victim’s (optionally) connected GitHub repository, or access data in the Cosmos DB account. Following disclosure, Cosmos DB notebooks now require an authorization token in the request header before allowing access.
Affected Services
Cosmos DB
Remediation
None required.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Tue, Oct 4th, 2022
Exploitability Period
2022/08/12 - 2022/10/06
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
7.93
(PI:1.5/A1:20/A2:1.1/A7:0.7/A8:1.1)
Discovered by
Lidor Ben Shitrit, Roee Sagi, Orca Security
