Researchers say the issue has been exploitable for ‘months’
Microsoft has urged customers to take action following the discovery of an Azure Cloud vulnerability allowing remote account takeover in Cosmos DB.
Disclosed by the Wiz security team on August 26, the critical vulnerability, nicknamed ‘#ChaosDB’, was found on August 9 and is described as an “unprecedented” flaw in the Azure Cosmos DB database.
Due to the severity of the vulnerability, the full technical details of the bug and the means to exploit it have not been released.
However, Wiz says that a chain of vulnerabilities found in the Jupyter Notebook feature of the platform can be used to query information about a target database and obtain credentials for Cosmos DB accounts, Jupyter Notebook compute, and Jupyter storage accounts.
This includes primary keys. Once an attacker has stolen a key, they could then access, view, tamper with, and delete information in a Cosmos DB database without authorization.
“The vulnerability has a trivial exploit that doesn’t require any previous access to the target environment, and impacts thousands of organizations, including numerous Fortune 500 companies,” Wiz says.
The researchers reported the security flaw to Microsoft on August 12. The company disabled vulnerable elements of the Jupyter feature within 48 hours of private disclosure.
By August 16, Wiz observed that credentials obtained during testing had been revoked, and 24 hours later, the team were awarded a $40,000 bug bounty reward.
Meanwhile, Microsoft launched its own investigation and was able to confirm that several thousand customers could be affected.
Cutting new keys
The Redmond-based giant publicly disclosed the vulnerability on August 26 in an advisory sent to impacted customers. As the company is unable to roll out primary keys on behalf of its customers, Microsoft is urging customers to regenerate their keys as soon as possible.
“Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account's primary read-write key,” the company said.
Microsoft added that there were no indicators of exploitation or data theft in the wild, nor that anyone outside of Wiz had obtained access to primary read-write keys associated with Azure Cosmos DB accounts.
Wiz says that organizations should “assume” they have been exposed to attack due to the length of time it took to find and fix the flaw. Approximately 30% of Cosmos DB clients have been notified, but the researchers say they believe the number of customers impacted may be “far higher”.
A technical paper describing Wiz’s findings will be published in the future.
CVEs are not generally issued for cloud security problems. However, at Black Hat USA 2021 Wiz called for a CVE cloud security initiative that would change this approach.