Microsoft Azure found to have the 'worst cloud vulnerability you can imagine' -- ChaosDB
Security researchers have discovered a serious security vulnerability in Microsoft Azure that could given an attacker unfettered access to any and all of the databases stored on its Cosmos DB service.
Researchers from security firm Wiz found that it is not only possible but trivial to obtain the primary keys to databases. The vulnerability, dubbed ChoasDB, may have existed since the introduction of the Jupyter Notebook back in 2019, and it gives attackers the ability to access, edit and delete data or entire databases. Microsoft is unable to change primary keys itself, and has emailed customers to advise them to do so; but the company has been criticized for failing to contact sufficient numbers of users.
See also:
- You will be able to install Windows 11 on an unsupported PC... but there could be serious security drawbacks
- Microsoft releases KB5005932 update for Windows 10 to fix PSFX_E_MATCHING_BINARY_MISSING errors
- Security: plug in a Razer mouse or keyboard and gain admin privileges in Windows 10
Speaking to Reuters, Wiz CTO Ami Luttwak said: "This is the worst cloud vulnerability you can imagine. It is a long-lasting secret. This is the central database of Azure, and we were able to get access to any customer database that we wanted".
Wiz has revealed some details of the serious security issue in a blog post in which it explains how it was able to "gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies".
The post breaks down an attack into a two-step process:
Part 1: Stealing primary keys of Cosmos DB customers
First, we gained access to customers’ Cosmos DB primary keys. Primary keys are the holy grail for attackers – they are long-lived and allow full READ/WRITE/DELETE access to customer data.
In 2019, Microsoft added a feature called Jupyter Notebook to Cosmos DB that lets customers visualize their data and create customized views. The feature was automatically turned on for all Cosmos DBs in February 2021.
A series of misconfigurations in the notebook feature opened up a new attack vector we were able to exploit. In short, the notebook container allowed for a privilege escalation into other customer notebooks (we'll share technical details on the escalation soon).
As a result, an attacker could gain access to customers’ Cosmos DB primary keys and other highly sensitive secrets such as the notebook blob storage access token.
Part 2: Accessing customer data in Cosmos DB
Next, after harvesting the Cosmos DB secrets, we showed that an attacker can leverage these keys for full admin access to all the data stored in the affected Cosmos DB accounts.
We exfiltrated the keys to gain long-term access to the customer assets and data. We could then control the customer Cosmos DB directly from the internet, with full read/write/delete permissions.
Wiz adds, in sinister fashion: "Now imagine repeating this process for thousands of different customers across more than 30 regions..."
Worryingly, it is possible that the primary key for a database may have been exposed even if a customer had never used the notebook feature. This is down to the fact that in February this year February, every newly created Cosmos DB account had the notebook feature enabled by default . Wiz warns:
If the customer didn't use the feature in the first three days, it was automatically disabled. An attacker who exploited the vulnerability during that window could obtain the Primary Key and have ongoing access to the Cosmos DB account.
Microsoft issued a statement saying:
On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. We mitigated the vulnerability immediately.
Our investigation indicates that no customer data was accessed because of this vulnerability by third parties or security researchers. We've notified the customers whose keys may have been affected during the researcher activity to regenerate their keys.
The company has contacted around 3,300 customers advising them to key keys, Wiz does not think this is enough, believing that all users should be told to change their security credentials.
Image credit: Eric Glenn / Shutterstock