Infosec outfit Wiz has revealed that Microsoft’s flagship Azure database Cosmos DB could have been exploited to grant any Azure user full admin access – including the ability to read, write, and delete data – to any Cosmos DB instance on Azure. Without authorization. For months.
Wiz has named the flaw ChaosDB.
“By exploiting a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, a malicious actor can query information about the target Cosmos DB Jupyter Notebook,” reads Wiz’s explanation. “By doing so, the attacker will obtain a set of credentials related to the target Cosmos DB account, the Jupyter Notebook compute, and the Jupyter Notebook Storage account, including the Primary Key.”
And once you have those creds, it’s party time. Wiz reckons the fun to be had includes the powers to “view, modify, and delete data in the target Cosmos DB account via multiple channels.”
Wiz’s advisory claims it found the flaw on August 9, informed Microsoft on the 12th, saw the vulnerable feature had been disabled on the 14th, and noticed some credentials had been revoked on the 16th. It went public today, August 26.
- Microsoft reminds Azure App Service users that community support for Java 7 ends soon – shift to version 8 or beyond
- Eight-year-old bug in Microsoft's 64-bit VBA prompts complaints of neglect
- Microsoft Patch Tuesday bug drought: No, it's not climate change or unexpected code quality improvements
Microsoft paid a $40,000 bounty to flaw's finders on the 17th. Wiz says the Windows giant has advised Azure users to regenerate their Cosmos DB primary keys ASAP as a precaution. We're told Redmond sent out the following notice to at least some of its cloud subscribers:
Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer's resources by using the account's primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.
We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorized access.
Interestingly, Wiz claims, to the best of its knowledge, that Microsoft has advised only 30 per cent of its customers about the problem. “We believe the actual number of customers affected by ChaosDB is higher,” the smaller firm says.
A spokesperson for Microsoft told The Register on Thursday: "We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure."
As far as the mega-corp says it is concerned, no customer data was accessed via the vulnerability and no one exploited it in the wild. Its spokespeople didn't address Wiz's figure of 30 per cent, saying instead that "customers who may have been impacted received a notification from us."
We might suggest some of that $20bn in cyber-security spending Microsoft CEO Satya Nadella pledged earlier should go toward taking another look through Cosmos DB's defenses. ®