Kritična ranljivost v Microsoft Azure Cosmos DB odpre Jupyter Notebooks

Raziskovalci iz Microsoftovega varnostno-odzivnega centra (MSRC) in Orca Security so ta teden razkrili kritično ranljivost v Microsoft Azure Cosmos DB, ki vpliva na njegovo funkcijo Cosmos DB Jupyter Notebooks. Napaka oddaljenega izvajanja kode (RCE) zagotavlja portret tega, kako bi lahko napadalci uporabili slabosti v arhitekturi preverjanja pristnosti v oblaku in strojnem učenju prijaznih okolij.

Dubbed CosMiss by Orca’s research team, the vulnerability boils down to a misconfiguration in how authorization headers are handled, which let unauthenticated users gain read and write access to Azure Cosmos DB Notebooks, and inject and overwrite code.

“In short, if an attacker had knowledge of a Notebook’s ‘forwardingId’, which is the UUID of the Notebook Workspace, they would have had full permissions on the Notebook, including read and write access, and the ability to modify the file system of the container running the notebook,” wrote Lidor Ben Shitrit and Roee Sagi of Orca in a tehnična dotrajanost of the vulnerability. “By modifying the container file system — aka dedicated workspace for temporary notebook hosting — we were able to obtain RCE in the notebook container.”

Porazdeljena zbirka podatkov NoSQL, Azure Cosmos DB, je zasnovana za podporo razširljivim, visoko zmogljivim aplikacijam z visoko razpoložljivostjo in nizko zakasnitvijo. Med njegovimi uporabami so telemetrija in analitika naprav IoT; maloprodajne storitve v realnem času za izvajanje stvari, kot so katalogi izdelkov in prilagojena priporočila na podlagi umetne inteligence; in globalno porazdeljene aplikacije, kot so pretočne storitve, storitve prevzema in dostave ipd.

Meantime, Jupyter Notebooks is an open source interactive developer environment (IDE) used by developers, data scientists, engineers, and business analysts to do everything from data exploration and data cleaning to statistical modeling, data visualization, and machine learning. It’s a powerful environment built for creating, executing, and sharing documents with live code, equations, visualizations, and narrative text.

Orca researchers say that this functionality makes a flaw in authentication within Cosmos DB Notebooks particularly risky, since they’re “used by developers to create code and often contain highly sensitive information such as secrets and private keys embedded in the code.”

Napaka je bila uvedena pozno poleti, Orca pa jo je Microsoftu odkrila in razkrila v začetku oktobra ter odpravila v dveh dneh. Zaradi porazdeljene arhitekture Cosmos DB za uvedbo popravka od strank ni bilo treba ukrepati.

Ni prva ranljivost, najdena v Cosmosu

Vgrajena integracija prenosnih računalnikov Jupyter v Azure Cosmos DB je še vedno funkcija v načinu predogleda, vendar to zagotovo ni prva javno objavljena napaka, najdena v njej. Lanskoletni raziskovalci z Wiz.io odkril a chain of flaws in the feature that gave any Azure user full admin access to other customers’ Cosmos DB instances without authorization. At the time, researchers reported big brands like Coca-Cola, Kohler, Rolls-Royce, Siemens, and Symantec all had database keys exposed.

Tveganje in učinki te najnovejše napake so verjetno bolj omejeni kot prejšnja zaradi številnih dejavnikov, ki jih je MSRC predstavil v blogu, objavljenem v torek. 

According to the MSRC blog, the exploitable bug was exposed for approximately two months after an update this summer in a backend API resulted in requests not being authenticated properly. The good news is, the security team conducted a thorough investigation of activity and didn’t find any signs of attackers leveraging the flaw at the time.

“Microsoft conducted an investigation of log data from August 12th to Oct 6th and did not identify any brute force requests that would indicate malicious activity,” je zapisal tiskovni predstavnik MSRC, ki je tudi opozoril, da 99.8 % strank Azure Cosmos DB še ne uporablja prenosnikov Jupyter.

Nadaljnje zmanjšanje tveganja je dejstvo, da ima ID za posredovanje, uporabljen v dokazu koncepta Orca, zelo kratko življenjsko dobo. Zvezki se izvajajo v začasnem delovnem prostoru prenosnika, ki ima največjo življenjsko dobo eno uro, po kateri se izbrišejo vsi podatki v tem delovnem prostoru.

“The potential impact is limited to read/write access of the victim’s notebooks during the time their temporary notebooks workspace is active,” explained Microsoft. “The vulnerability, even with knowledge of the forwardingId, did not give the ability to execute notebooks, automatically save notebooks in the victim’s (optional) connected GitHub repository, or access to data in the Azure Cosmos DB account.”