Critical flaw in Azure Cosmos DB found by researchers
Wiz, the Cloud infrastructure security company, discovered a new attack vector in Microsoft Azure, the exploitation of which could grant any Azure user admin access to other customers’ database without authorization.
The flaw has been dubbed ChaosDB and claims to grant read, write, and delete privileges. Wiz researchers noted that the vulnerability has a trivial exploit not requiring any previous access to the target environment.
Cosmos DB is Microsoft’s NoSQL database and claims to be a fully managed service, taking the responsibility of database administration through automatic management, updates, and patching.
The researcher reported the issue to Microsoft on August 12. Microsoft was prompt enough to take steps to alleviate the issue within 48 hours. It also awarded $40,000 to the reporter of the flaw.
Microsoft stated that they have no sign that external entities had access to the primary read-write key associated with the Azure Cosmos DB accounts. The company added that they are not aware of any data access due to this vulnerability, specifying that Azure Cosmos DB accounts that have vNET or firewall enabled are protected from unauthorized access through additional security measures.
The exploit highlights a series of vulnerabilities in the Jupyter Notebook element of Cosmos DB, allowing a threat actor to obtain the credentials of the target Cosmos DB account, which includes the Primary Key. This gives access to the administrative resources for the database account.
According to the researchers, these credentials can be used to view, modify, and delete data in the target Cosmos DB account through multiple channels. So any Cosmos DB asset with the Jupyter Notebook feature enabled is affected.
Also Read: 38 million records exposed online
The vulnerability has now been fixed, and Microsoft had also informed over 30% of Cosmos DB customers about the potential of a breach. According to Wiz, the actual number of affectees would have been higher owing to the fact the vulnerability was exploitable for months.
Wiz specialists also stated that every Cosmos DB customer should assume being exposed. They are also advised to review all past activity in their accounts. Moreover, Microsoft is also playing its part through advising its customers to regenerate DB Primary Keys to restrict any threat or risk that might arise from the issue.