A vulnerability in Microsoft Azure Cosmos DB allowed unauthorized cybercriminals to remotely execute code in Jupyter Notebook.
Microsoft Azure Cosmos DB is a popular noSQL database among retail and e-commerce organizations. Customers use the database for data processing and storage. The integration of Jupyter Notebook helps developers clean and transform data.
Researchers at Orca Security recently discovered a vulnerability in Azure Cosmos DB environments with Jupyter Notebook. The vulnerability allowed unauthorized access, code injection and code replacement in built-in Jupyter Notebooks. A risky problem, as Jupyter Notebook is regularly used to process privacy-sensitive info, including authorization and customer data.
There is no evidence that cybercriminals have exploited the vulnerability in the wild. Microsoft implemented an automatic patch for all Azure Cosmos DB users. two days after being notified by Orace Security.
Under the hood
The vulnerability is a design flaw. Each Jupyter Notebook environment in Azure Cosmos DB has a universally unique identifier (UUID). Orca Security discovered that the UUID of a Jupyter Notebook environment allows unauthorized users to perform authorized actions, including injecting and replacing code.
Azure Cosmos DB took little to no steps to secure UUIDs. Authorized users were able to retrieve the UUID by simply logging in.
Under normal circumstances, a user has little to no reason to retrieve the UUID, let alone share it. In practice, cybercriminals can invent reasons. A hacker could theoretically pose as a support employee, retrieve the UUID from a user and proceed to log into a Jupyter Notebook environment.
The patch has made it impossible for unauthorized users to access Jupyter Notebook through a UUID. Every user now needs an authentication token to perform authorized actions.
Microsoft patches faster than expected
Microsoft resolved the issue two days after Orca Security’s report. The security firm was positively surprised. After Orca Security found a critical vulnerability in Azure Synapse earlier this year, Microsoft shoved the incident under the rug for 89 days. The tech giant’s patch policy was met with heavy criticism as a result.