Researchers discover critical flaw in Azure Cosmos DB
Wiz security researchers found a new attack vector in Microsoft Azure, which if exploited could allow an attacker to gain access to customers primary keys.
A major flaw in Microsoft's Azure Cosmos DB is putting thousands of companies at risk.
In a blog post Thursday, Wiz security researchers Nir Ohfeld and Sagi Tzadik detailed how they were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including Fortune 500 companies Coca-Cola and Exxon Mobil. The vulnerability, which they dubbed ChaosDB, affects Azure's flagship database service, Cosmos DB.
The story was first reported by Reuters Friday after Microsoft warned thousands of cloud customers their databases may be exposed. Exploiting the flaw could allow an attacker to steal the secret keys of Cosmos DB customers.
Ohfeld and Tzadik first uncovered the flaw two weeks ago, while on a routine search for new attack surfaces in the cloud. What they found was a series of flaws in the CosmosDB feature created a loophole, "allowing any user to download, delete or manipulate a massive collection of commercial databases." And according to the blog, exploiting it was trivial.
First, Ohfeld and Tzadik accessed customers' CosmosDB primary keys by exploiting a new attack vector found in a feature called the Jupyter Notebook. The remedy, as Wiz advises, is for customers to change their keys. Jupyter, a tool for organizing and presenting numbers in a database, was added to Cosmos DB in 2019 by Microsoft. According to the blog, the feature was automatically turned on for all Cosmos DBs this February.
"In short, the notebook container allowed for a privilege escalation into other customer notebooks," Ohfeld and Tzadik wrote in the blog. "As a result, an attacker could gain access to customers' Cosmos DB primary keys and other highly sensitive secrets, such as the notebook blob storage access token."
From there, Ohfeld and Tzadik found that an attacker could leverage the keys for full admin access to all the data stored in the affected Cosmos DB accounts. While they credited Microsoft's security team for taking immediate action to fix the flaw, they also said customers may still be affected, since their primary access keys were potentially exposed.
SearchSecurity contacted Microsoft to find out how many customers were affected, but the scope remains unclear.
"We fixed this issue immediately, to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure," a Microsoft spokesperson said in an email to SearchSecurity.
UPDATE 8/27: A Microsoft Security Response Center (MSRC) blog post said only a subset of customers that enabled the Jupyter Notebook feature are affected, though the post did not say how many customers were included in that subset. MSRC also said its investigation indicates that no customer data was accessed through the vulnerability. "We've notified the customers whose keys may have been affected during the researcher activity to regenerate their keys," the blog post said, which also offered guidance on key regeneration. "If you did not receive an email or in-portal notification, there is no evidence any other external parties had access to your primary read-write account key."
Potential for future impact
Microsoft has notified customers who may have been affected by the vulnerability. A Wiz spokesperson told SearchSecurity that Microsoft emailed 3,300 Azure customers. That's more than 30% of Cosmos DB customers, who were using the vulnerable entry point feature during Wiz's weeklong research period.
Jake Kouns, CEO and CISO at Risk Based Security, told SearchSecurity that it is unusual to have not given Azure clients more time to fix the flaw before publicly disclosing. "Now that they have created this media attention, it will likely lead to attackers trying to investigate and exploit this issue faster," he said.
While Microsoft says it has not seen evidence that it's been exploited previously, Wiz told SearchSecurity that this is the kind of vulnerability a hacker could exploit without leaving much of a trace. Additionally, the blog states the flaw has existed anywhere from several months to possibly years.
"It's highly likely that many, many more Cosmos DB customers were affected," a Wiz spokesperson said in an email to SearchSecurity. "Because the potential exposure is so catastrophic in this case, we're encouraging all customers to change their access keys."
Cloud vulnerabilities raise unique concerns
The call to customers to fix this issue makes this case unusual, Kouns told SearchSecurity. Typically, with cloud vulnerabilities, the vendor is required to implement a fix across its entire customer base. Cloud vulnerabilities have additional factors that make them unique, in both positive and negative ways.
The concept of tracking vulnerabilities in the cloud has been long debated. Kouns said tracking vulnerabilities can be helpful in some ways, but in other ways it is a horrible idea because it details exactly what an attacker needs to do. "Further, a vast majority of cloud/SaaS vulnerabilities must be patched by the service provider, not the customer," he said.
In this case, while it has been disclosed, the vulnerability has not been assigned a CVE. In a series of tweets about the Cosmos DB flaw, researcher Kevin Beaumont said this is a massive gap in cloud security.
There is a massive gap in cloud security, by the way. No CVE numbers are issued for flaws, and suppliers aren’t required to disclose flaws. Cloud services aren’t magically secure.
— Kevin Beaumont (@GossiTheDog) August 27, 2021
You’ll notice public disclosure of this comes from an external researcher.
One of the researchers involved in the Chaos DB disclosure was a former Microsoft employee who now works at Wiz. According to Kouns, the vulnerability was handled as a bug bounty for which Microsoft paid $40,000. This raised a question for him regarding whether any prior knowledge gained while working at Microsoft was used. Furthermore, he questioned if there will be a change in bounty programs that may exclude prior employees from taking part.
Jake Williams, CTO at BreachQuest, told SearchSecurity another aspect the vulnerability highlights is the double-edged sword that is cloud computing. According to Williams, when a vulnerability is discovered in the default feature in the platform, all deployed assets are vulnerable. Therefore, threat actors don’t need to scan the internet looking for vulnerable instances; they are all in one place. However, there is an upside.
"As soon as the vulnerability is discovered, it can usually be rapidly patched," Williams said in a Twitter message to SearchSecurity. "This means the window for exploitation is typically shorter than with on-premise deployments, but the impact can be greater. Thankfully, in this case it appears security researchers found the vulnerability before any threat actors did. We may not be so lucky the next time."
SearchSecurity news writers Alexander Culafi and Shaun Nichols contributed to this article.