Users of Microsoft’s Azure Cosmos DB are being urged to change their digital access keys to protect against a critical vulnerability discovered in the vendor’s cloud platform that allows for remote account takeover of Azure’s flagship database.
Researchers from US-based cloud security provider Wiz said in a blog post published on 26 August that they were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies.
According to the researchers, Nir Ohfeld and Sagi Tzadik, a series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of the database.
The vulnerability, dubbed ChaosDB, has been described by Wiz as “an unprecedented critical vulnerability” in the Azure cloud platform.
The vulnerability, which was disclosed to Microsoft in August 2021 by the Wiz research team, gives any Azure user full admin access – read, write or delete – to another customer’s Cosmos DB instances without authorisation.
“The vulnerability has a trivial exploit that doesn't require any previous access to the target environment, and impacts thousands of organisations, including numerous Fortune 500 companies,” the company said in an advisory post.
“By exploiting a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, a malicious actor can query information about the target Cosmos DB Jupyter Notebook.
“By doing so, the attacker will obtain a set of credentials related to the target Cosmos DB account, the Jupyter Notebook compute and the Jupyter Notebook Storage account, including the Primary Key.
“Using these credentials, it is possible to view, modify and delete data in the target Cosmos DB account via multiple channels,” it added.
According to Wiz, Microsoft’s security teams took immediate action to fix the problem following the disclosure and disabled the vulnerable feature within 48 hours of receiving the report.
“However, the vulnerability has been exploitable for months and every Cosmos DB customer should assume they’ve been exposed,” the cyber security company said. “To mitigate the risk, Microsoft advises customers to regenerate the Cosmos DB Primary Keys.
“On Aug 26, 2021, Microsoft notified over 30 per cent of Cosmos DB customers about the potential security breach. We believe the actual number of customers affected by ChaosDB is higher and recommend that all customers follow this guidance,” the company added.
The United States Cybersecurity and Infrastructure Security Agency (CISA) said in guidance published on 27 August that it was aware of the issue and urged all Azure Cosmos DB customers to change their digital keys.
“Although the misconfiguration appears to have been fixed within the Azure cloud, CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate keys and to review Microsoft’s guidance on how to Secure access to data in Azure Cosmos DB,” the agency said.
According to Wiz, Microsoft released a statement to impacted customers, noting that it had become aware of the vulnerability and mitigated the vulnerability immediately after it became aware of the issue on 12 August 2021.
“We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s),” the statement from Microsoft noted, according to Wiz. “In addition, we are not aware of any data access because of this vulnerability.
“Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorised access. Out of an abundance of caution, we are notifying you to take the following actions as a precautionary measure,” it said.