UPDATED 09:00 EST / NOVEMBER 01 2022

SECURITY

Azure Cosmos DB vulnerability gave access without authentication

A newly disclosed vulnerability in Microsoft Corp.’s Azure Cosmos DB was found to open the door to an attacker without needing authentication under certain conditions.

Detailed today by security researchers at Orca Security Ltd., the vulnerability has been dubbed “CosMiss.” The vulnerability opens up if an attacker has knowledge of a Cosmos DB Notebook’s “forwardingld,” which is the universal unique identifier of the Notebook Workspace. With this knowledge, the attacker would have full permissions on the Notebook without having to authenticate, including read-write access, code injection and the ability to overwrite code delivering remote code execution.

Azure Cosmo DB is Microsoft’s fast NoSQL database and is used by Microsoft in its own e-commerce platforms and by the retail industry for storing catalog data. Jupyter Notebooks are built into Azure Cosmo DB and are used by developers to perform tasks such as data cleaning, exploration, transformation and machine learning. The problem is that there was no authentication check on Cosmos DB Jupyter Notebook.

The lack of authentication is described by the researchers as being especially risky since the notebooks are used by developers to create code and often contain highly sensitive information, including secrets and private keys.

The researchers created a proof of concept to demonstrate the vulnerability of Cosmos DB through an Azure Table application programming interface and Serverless Capacity mode. The exploit was also validated on Core SQL API and provisioned throughout the deployment. In the proof of concept, the researchers demonstrated how it was possible to overwrite, delete and inject code with the access granted to the notebook.

Before going public with their findings, the Orca researchers reached out to Microsoft Security Response Center, who fixed the critical issue the next day.

In the words of the researchers, the response was “impressive and a much faster response than the SynLapse vulnerability we discovered in Azure SynLapse.” The SynLapse vulnerability was discovered by Orca in January and took until April to fix properly.

Avi Shua (pictured, right), the co-founder and chief executive officer of Orca, spoke with theCUBE, SiliconANGLE Media’s livestreaming studio in November 2021 on the security risks presented by the gradual shift from on-premises computing to the cloud environment:

Photo: Orca Security

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.