A now-repaired flaw in Microsoft Azure exposed thousands of client databases, giving hackers unrestricted access to their accounts and databases.
Nir Ohfeld and Sagi Tzadik, security researchers at Wiz, describe how they exposed the breach that affects Azure’s flagship database service, Cosmos DB.
Hundreds of blue chip customers use the Cosmos DB to manage massive amounts of data from around the world in near realtime, the researchers point out.
They describe how a series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.
They named the vulnerability #ChaosDB.
They describe how, in 2019, Microsoft added a feature called Jupyter Notebook to Cosmos DB that lets customers visualize their data and create customized views. This feature was automatically enabled for all Cosmos DBs in February 2021.
However, a series of misconfigurations in the notebook feature opened up a new attack vector they were able to exploit, giving them access to customers’ Cosmos DB primary keys and other sensitive secrets such as the notebook blob storage access token
They were also able to leverage these keys for full admin access to all the data stored in the affected Cosmos DB accounts, and could exfiltrate the keys to gain long-term access to the customer assets and data.
Wiz informed Microsoft of the vulnerability, and it was fixed within 48 hours.
Microsoft has since mailed some customers to alert them that their primary access keys were potentially exposed, and they should manually rotate their access keys to mitigate exposure.
It is believed that Microsoft has warned just the customers potentially exposed during the time Wiz researchers infiltrated the system, but others could be at risk if the vulnerability was exploitable for longer. Ohfeld and Sagi Tzadik argue that any Cosmos DB account using the notebook feature created after February 2021 could be at risk.