Infosec outfit Wiz has revealed that Microsoft’s flagship Azure database Cosmos DB could have been exploited to grant any Azure user full admin access – including the ability to read, write, and delete data – to any Cosmos DB instance on Azure. Without authorization. For months.
Wiz has named the flaw ChaosDB.
“By exploiting a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, a malicious actor can query information about the target Cosmos DB Jupyter Notebook,” reads Wiz’s explanation. “By doing so, the attacker will obtain a set of credentials related to the target Cosmos DB account, the Jupyter Notebook compute, and the Jupyter Notebook Storage account, including the Primary Key.”
And once you have those creds, it’s party time. Wiz reckons the fun to be had includes the powers to “view, modify, and delete data in the target Cosmos DB account via multiple channels.”
Wiz’s advisory claims it found the flaw on August 9, informed Microsoft on the 12th, saw the vulnerable feature had been disabled on the 14th, and noticed some credentials had been revoked on the 16th. It went public today, August 26.
Microsoft paid a $40,000 bounty to flaw’s finders on the 17th. Wiz says the Windows giant has advised Azure users to regenerate their Cosmos DB primary keys ASAP as a precaution. We’re told Redmond sent out the following notice to at least some of its cloud subscribers:
Interestingly, Wiz claims, to the best of its knowledge, that Microsoft has advised only 30 per cent of its customers about the problem. “We believe the actual number of customers affected by ChaosDB is higher,” the smaller firm says.
A spokesperson for Microsoft told The Register on Thursday: “We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure.”
As far as the mega-corp says it is concerned, no customer data was accessed via the vulnerability and no one exploited it in the wild. Its spokespeople didn’t address Wiz’s figure of 30 per cent, saying instead that “customers who may have been impacted received a notification from us.”
We might suggest some of that $20bn in cyber-security spending Microsoft CEO Satya Nadella pledged earlier should go toward taking another look through Cosmos DB’s defenses. ®