Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB

Summary

Microsoft recently fixed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB (currently in preview) reported by Orca Security.  Customers not using Jupyter Notebooks (99.8% of Azure Cosmos DB customers do NOT use Jupyter notebooks) were not susceptible to this vulnerability.

The bug was introduced on August 12th and fully patched worldwide on Oct 6th, two days after it was reported. To exploit it, an attacker would have to guess a 128bit cryptographically random GUID of an active session and use it within an hour. Microsoft conducted an investigation of log data from August 12th to Oct 6th and did not identify any brute force requests that would indicate malicious activity.  

 No customers were impacted, and no action is required.  

Technical Details

As mentioned above, to successfully exploit this vulnerability an attacker must know the unique per-session GUID and must act within the 1-hour window a session is active.   

Jupyter Notebooks for Azure Cosmos DB are run in the context of a temporary notebook workspace which have a maximum lifetime of one hour. After one hour, the workspace and all data inside it – including notebooks – are automatically deleted. The temporary workspace is identified by a randomly generated unique identifier, also known as a forwardingId. 

If the forwardingId of another user’s active temporary notebooks workspace could be guessed, this vulnerability could allow an attacker to gain read/write access to the notebooks in the victim’s workspace. The potential impact is limited to read/write access of the victim’s notebooks during the time (1 hour maximum) their temporary notebooks workspace is active. The vulnerability, even with knowledge of the forwardingId, did not give the ability to execute notebooks, automatically save notebooks in the victim’s (optional) connected GitHub repository, or access to data in the Azure Cosmos DB account.    

The vulnerability is difficult to exploit because the forwadingID is 128bits in length and is randomly generated, expires within one hour, and is not reused.  In August 2022, a change in one of the backend APIs used by the AzureCosmos DB Jupyter Notebooks resulted into requests not being authenticated as expected. 

As previously stated, Microsoft mitigated the vulnerability on October 6, 2022. No customers were impacted, and no action is required.  

Acknowledgement

We appreciate the opportunity to investigate the findings reported by Orca Security, which helped us further harden the service, and thank them for practicing safe security research under the terms of the Microsoft Bug Bounty Program. We encourage all researchers to work with vendors under Coordinated Vulnerability Disclosure (CVD) and abide by the rules of engagement for penetration testing to avoid impacting customer data while conducting security research. 

References

Questions? Open a support case through the Azure Portal at aka.ms/azsupt .