Researchers discover critical flaw in Azure Cosmos DB
A major flaw in Microsoft’s Azure Cosmos DB puts thousands of businesses at risk.
In a blog post Thursday, Wiz security researchers Nir Ohfeld and Sagi Tzadik explained how they were able to gain full and unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including Fortune 500 Coca-Cola and Exxon Mobil companies. The vulnerability, which they dubbed ChaosDB, affects Azure’s flagship database service, Cosmos DB.
The story was first reported by Reuters on Friday after Microsoft warned thousands of cloud customers that their databases could be exposed. Exploitation of the flaw could allow an attacker to steal the secret keys of Cosmos DB clients.
Ohfeld and Tzadik first discovered the flaw two weeks ago, during a routine search for new attack surfaces in the cloud. What they found was that a series of flaws in CosmosDB functionality created a flaw, “allowing any user to download, delete, or manipulate a massive collection of commercial databases.” And according to the blog, exploiting it was trivial.
First, Ohfeld and Tzadik accessed customers’ CosmosDB primary keys by exploiting a new attack vector found in a feature called Jupyter Notebook. The remedy, as Wiz advises, is for customers to change their keys. Jupyter, a tool for organizing and presenting numbers in a database, was added to Cosmos DB in 2019 by Microsoft. According to the blog, the feature was automatically enabled for all Cosmos databases in February.
âIn short, the notebook container allowed privilege escalation to other client notebooks,â Ohfeld and Tzadik wrote in the blog. “As a result, an attacker could gain access to clients’ Cosmos DB primary keys and other highly sensitive secrets, such as the notebook storage access token.”
From there, Ohfeld and Tzadik discovered that an attacker could exploit the keys for full administrator access to all data stored in the affected Cosmos DB accounts. While they thanked Microsoft’s security team for taking immediate action to correct the flaw, they also said customers could still be affected as their primary access keys were potentially exposed.
SearchSecurity has contacted Microsoft to find out how many customers have been affected, but the scope remains unclear.
“We resolved this issue immediately, to ensure the safety and protection of our customers. We thank the security researchers for working on coordinated vulnerability disclosure,” a Microsoft spokesperson said in an email to SearchSecurity.
Potential future impact
Microsoft has notified customers who may have been affected by the vulnerability. A spokesperson for Wiz told SearchSecurity that Microsoft had emailed 3,300 Azure customers. This represents over 30% of Cosmos DB customers, who were using the vulnerable entry point feature during Wiz’s week-long research period.
Jake Kouns, CEO and CISO of Risk Based Security, told SearchSecurity that it was unusual not to have given Azure customers more time to fix the flaw before publicly disclosing it. âNow that they’ve created this media attention, it will likely lead attackers to try to investigate and exploit this problem more quickly,â he said.
While Microsoft says it hasn’t seen evidence that it’s been exploited before, Wiz told SearchSecurity it’s the kind of vulnerability a hacker could exploit without leaving much of a trail. Additionally, the blog says the flaw has been around for months, if not years.
âIt’s highly likely that many, many more Cosmos DB customers have been affected,â a Wiz spokesperson said in an email to SearchSecurity. âBecause the potential exposure is so catastrophic in this case, we encourage all customers to change their access keys. “
Cloud vulnerabilities raise unique concerns
Calling on customers to resolve this issue makes this unusual case, Kouns told SearchSecurity. Typically, with cloud vulnerabilities, the vendor is required to implement a patch across their entire customer base. Cloud vulnerabilities have additional factors that make them unique, both positively and negatively.
The concept of cloud vulnerability tracking has been debated for a long time. Kouns said vulnerability tracking can be helpful in some ways, but in other ways it’s a horrible idea because it details exactly what an attacker needs to do. âAdditionally, a large majority of cloud / SaaS vulnerabilities need to be addressed by the service provider, not the customer,â he said.
In this case, although it was disclosed, the vulnerability did not receive a CVE. In a series of tweets about the Cosmos DB vulnerability, researcher Kevin Beaumont said this is a huge gap in cloud security.
By the way, there is a huge gap in cloud security. No CVE number is issued for defects, and suppliers are not required to disclose defects. Cloud services aren’t magically secure.
You will notice that the public disclosure of this comes from an outside researcher.
– Kevin Beaumont (@GossiTheDog)
August 27, 2021
One of the researchers involved in the Chaos DB disclosure was a former Microsoft employee who now works at Wiz. According to Kouns, the vulnerability was treated as a bug bounty for which Microsoft paid $ 40,000. This raised a question for him as to whether prior knowledge gained while working at Microsoft was used. In addition, he asked if there would be a change in bonus programs that could exclude former employees from participation.
Jake Williams, CTO of BreachQuest, told SearchSecurity that another aspect highlighted by vulnerability is the double-edged sword that is cloud computing. According to Williams, when a vulnerability is discovered in the platform’s default functionality, all deployed assets are vulnerable. Therefore, threat actors do not need to scan the Internet for vulnerable instances; they are all in one place. However, there is an advantage.
âAs soon as the vulnerability is discovered, it can usually be quickly remedied,â Williams said in a Twitter message to SearchSecurity. âThis means the window to operations is typically shorter than with on-premises deployments, but the impact can be greater. Fortunately, in this case, it appears the security researchers discovered the vulnerability before the threat actors. We might not be so lucky next time. time.”
SearchSecurity editors Alexander Culafi and Shaun Nichols contributed to this article.