‘CosMiss’ vulnerability found in Microsoft Azure developer tool
Jonathan Greig November 1, 2022

‘CosMiss’ vulnerability found in Microsoft Azure developer tool

‘CosMiss’ vulnerability found in Microsoft Azure developer tool

Microsoft addressed a vulnerability affecting a tool used by developers within its Azure cloud computing service, according to researchers from the tech giant and cybersecurity firm Orca Security.

Both released a report on Tuesday outlining a vulnerability dubbed “CosMiss” in Jupyter Notebooks for Azure Cosmos DB — an open-source interactive developer environment allowing users to create and share documents that have live code, equations and more. 

A Microsoft spokesperson said 99.8% of Azure Cosmos DB customers do not use Jupyter notebooks and are not vulnerable to this issue because the tool is currently in preview. 

To exploit the bug, an attacker would need to know the session’s ‘Globally Unique Identifier’ — also known as GUID. The number is used by developers working with Microsoft technology. 

Jupyter Notebooks for Azure Cosmos DB are run in the context of a temporary notebook workspace which have a maximum lifetime of one hour, a Microsoft spokesperson noted, adding that after one hour, the workspace and all data inside it — including notebooks — are automatically deleted.

“The bug was introduced on August 12th and fully patched worldwide on Oct 6th, two days after it was reported. To exploit it, an attacker would have to guess a 128-bit cryptographically random GUID of an active session and use it within an hour,” Microsoft explained. 

“Microsoft conducted an investigation of log data from August 12th to Oct 6th and did not identify any brute force requests that would indicate malicious activity. No customers were impacted, and no action is required.” 

If a hacker is somehow able to guess the GUID, Microsoft said the attacker would “gain read/write access to the notebooks in the victim’s workspace.”

The impact of the breach would be limited to the one-hour period when the temporary notebooks workspace is active. It does not give an attacker access to other functions within the tool. 

Microsoft thanked Orca Security for discovering the bug and the security company released its own report explaining exploitation of the issue, calling it a “highly important vulnerability.”

Orca Security researchers told The Record that they checked the fix and confirmed that all users of the tool are now protected. 

The researchers noted that the tool is used “extensively in Microsoft’s own e-commerce platforms and in the retail industry for storing catalog data and for event sourcing in order processing pipelines.”

Since Cosmos DB Notebooks are used by developers to create code, they can at times contain highly sensitive information such as secrets and private keys embedded in the code, Orca Security researchers explained. 

“Jupyter Notebooks are built into Azure Cosmos DB, and are used by developers to perform common tasks, such as data cleaning, data exploration, data transformation, and machine learning,” the researchers said. 

“This is especially risky since Cosmos DB Notebooks are used by developers to create code and often contain highly sensitive information such as secrets and private keys embedded in the code.”

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.