Chaos DB: Critical vulnerability in microsoft azure cosmos db
What is #ChaosDB?
#ChaosDB is an unprecedented critical vulnerability in the Azure cloud platform that allows for remote account takeover of Azure’s flagship database - Cosmos DB. The vulnerability, which was disclosed to Microsoft in August 2021 by Wiz Research Team, gives any Azure user full admin access (read, write, delete) to another customers Cosmos DB instances without authorization. The vulnerability has a trivial exploit that doesn’t require any previous access to the target environment, and impacts thousands of organizations, including numerous Fortune 500 companies.
By exploiting a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, a malicious actor can query information about the target Cosmos DB Jupyter Notebook. By doing so, the attacker will obtain a set of credentials related to the target Cosmos DB account, the Jupyter Notebook compute, and the Jupyter Notebook Storage account, including the Primary Key. Using these credentials, it is possible to view, modify, and delete data in the target Cosmos DB account via multiple channels. Below is a diagram that illustrates the attack.
Was the Issue Fixed?
Microsoft’s security teams took an immediate action to fix the problem and disabled the vulnerable feature within 48 hours of the report (see the disclosure timeline below). However, the vulnerability has been exploitable for months and every Cosmos DB customer should assume they’ve been exposed. To mitigate the risk, Microsoft advises customers to regenerate the Cosmos DB Primary Keys. On Aug 26, 2021, Microsoft notified over 30% of Cosmos DB customers about the potential security breach. We believe the actual number of customers affected by #ChaosDB is higher and recommend that all customers follow this guidance.
Microsoft released the following statement to impacted customers: “Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.
We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorized access. Out of an abundance of caution, we are notifying you to take the following actions as a precautionary measure.”
About Wiz Research Team
Wiz Research Team is a group of experienced researchers who focus on new attack vectors in the cloud. The team finds critical issues and alerts Wiz customers and the community about their findings. In 2021 alone, the team reported dozens of vulnerabilities to cloud service providers like Amazon Web Services, Google Cloud Platform and Microsoft Azure. Their work has been featured at BlackHat (1, 2) and DEFCON (1). Stay tuned for more!
Actions to take:
MDS Security Experts Recommend:
- Regenerate private / secondary keys associated with Cosmos DB
- Configure Cosmos DB Firewall, private endpoint and NSGs
- Enable diagnostic logging for Cosmos DB
- Run hunting queries to verify previous activities related to the vulnerability
- Continue to monitor Cosmos DB diagnostic logs
- Follow Microsoft guidance and best practice
How MDS can help: Microsoft Azure Sentinel
Azure Sentinel is an industry leading, intelligent, cloud native SIEM & SOAR tool
Our engineering teams can provide an end-to-end implementation of Azure Sentinel to provide visibility into threats in your environment. For more information, click here.
The material and information provided in Maureen Data Systems (“MDS”) Content are for general information only and should not, in any respect, be relied on as professional advice. The MDS Content shall be construed as author-based content and commentary. Accordingly, no warranties or other guarantees are offered as to the quality of the opinions, commentary or anything else appearing in such MDS Content. MDS expressly reserves the right to delete stories at its and their sole discretion.