CVE-2023-35394
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into Azure HDInsight Jupyter Notebooks, which could execute in users' browsers when viewing manipulated content. It affects Azure HDInsight clusters with Jupyter Notebook components. The impact is limited to users who access compromised notebooks.
💻 Affected Systems
- Azure HDInsight
📦 What is this software?
Azure Hdinsight by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, credentials, or sensitive data from users' browsers, potentially leading to account compromise or data exfiltration.
Likely Case
Attackers could perform cross-site scripting attacks to hijack user sessions or redirect users to malicious sites.
If Mitigated
With proper input validation and output encoding, the attack surface is minimized, though the vulnerability still exists in unpatched systems.
🎯 Exploit Status
Exploitation requires the attacker to have the ability to create or modify Jupyter Notebooks in the target HDInsight cluster, typically requiring some level of access to the cluster.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Microsoft has deployed patches to Azure HDInsight service; specific version numbers are not publicly disclosed.
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35394
Restart Required: No
Instructions:
1. Log into the Azure portal. 2. Navigate to your HDInsight cluster. 3. Ensure automatic updates are enabled or manually trigger updates if available. 4. Verify the cluster is running the latest service version. Note: As a managed service, Microsoft handles patching automatically for most customers.
🔧 Temporary Workarounds
Disable Jupyter Notebook Access
allTemporarily disable Jupyter Notebook components in the HDInsight cluster if not required for operations.
Azure CLI: az hdinsight application disable --name <cluster-name> --application-name Jupyter
Restrict Notebook Creation
allLimit permissions for creating or modifying Jupyter Notebooks to trusted users only.
Use Azure RBAC to restrict write access to HDInsight cluster resources.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for any custom notebook rendering components.
- Monitor for unusual notebook creation or modification activities and review notebook content regularly.
🔍 How to Verify
Check if Vulnerable:
Check if your Azure HDInsight cluster was created or updated before Microsoft's July 2023 security patches. Review cluster properties in Azure portal for last update date.Check Version:
Azure CLI: az hdinsight show --name <cluster-name> --query "properties.clusterVersion"Verify Fix Applied:
Confirm your HDInsight cluster shows recent updates (post-July 2023) in the Azure portal under cluster properties or update history.📡 Detection & Monitoring
Log Indicators:
- Unusual notebook creation or modification events in HDInsight audit logs
- Multiple failed attempts to access notebook rendering endpoints
Network Indicators:
- Unexpected outbound connections from HDInsight cluster to external domains following notebook access
SIEM Query:
Azure Sentinel: HDInsight_CL | where OperationName contains "Notebook" and ResultType == "Success" | summarize count() by CallerIpAddress, bin(TimeGenerated, 1h)