“Worst cloud vulnerability you can imagine” discovered in Microsoft Azure

Cosmos DB is a managed database service offering—including both relational and noSQL data structures—belonging to Microsoft's Azure cloud infrastructure.

Enlarge / Cosmos DB is a managed database service offering—including both relational and noSQL data structures—belonging to Microsoft’s Azure cloud infrastructure.

reader comments

85 with 43 posters participating, including story author

Cloud security vendor Wiz announced yesterday that it found a vulnerability in Microsoft Azure’s managed database service, Cosmos DB, that granted read/write access for every database on the service to any attacker who found and exploited the bug.

Although Wiz only found the vulnerability—which it named “Chaos DB”—two weeks ago, the company says that the vulnerability has been lurking in the system for “at least several months, possibly years.”

A slingshot around Jupyter

In 2019, Microsoft added the open-source Jupyter Notebook functionality to Cosmos DB. Jupyter Notebooks are a particularly user-friendly way to implement machine learning algorithms; Microsoft promoted Notebooks specifically as a useful tool for advanced visualization of data stored in Cosmos DB.

Jupyter Notebook functionality was enabled automatically for all Cosmos DB instances in February 2021, but Wiz believes the bug in question likely goes back further—possibly all the way back to Cosmos DB’s first introduction of the feature in 2019.

Wiz isn’t giving away all the technical details yet, but the short version is that misconfiguration in the Jupyter feature opens up a privilege escalation exploit. That exploit could be abused to gain access to other Cosmos DB customers’ primary keys—according to Wiz, any other Cosmos DB customer’s primary key, along with other secrets.

Access to a Cosmos DB instance’s primary key is “game over.” It allows full read, write, and delete permissions to the entire database belonging to that key. Wiz’s Chief Technology Officer Ami Luttwak describes this as “the worst cloud vulnerability you can imagine,” adding, “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

rotate its keys immediately to ensure security going forward.

Microsoft’s response

Microsoft disabled the Chaos DB vulnerability two weeks ago—less than 48 hours after Wiz privately reported it. Unfortunately, Microsoft cannot change its customers’ primary keys itself; the onus is on Cosmos DB customers to rotate their keys.

According to Microsoft, there’s no evidence that any malicious actors found and exploited Chaos DB prior to the Wiz discovery. An emailed statement from Microsoft to Bloomberg said, “We are not aware of any customer data being accessed because of this vulnerability.” In addition to warning 3,000+ customers of the vulnerability and providing mitigation instructions, Microsoft paid Wiz a $40,000 bounty.

Article Tags:
Article Categories: