Microsoft’s Azure Cosmos DB vulnerability, reported yesterday, may leave users vulnerable to a misconfiguration that allows hackers to download or edit data and the architecture of the database service, according to a report by cybersecurity company Wiz.
The Microsoft Security Response Center published an article on the vulnerability on Friday, saying that Microsoft was contacted on August 12 and “mitigated the vulnerability immediately.”
Wiz believes the vulnerability has existed for at least several months and possibly years. The company issued a report on Thursday with some details on a Cosmos DB vulnerability – which the company dubs “ChaosDB” – involving the Cosmos DB data visualization feature Jupyter Notebook, which Microsoft automatically turned on for Cosmos DB users in February.
“The notebook container allowed for a privilege escalation into other customer notebooks,” according to the report from Wiz. Attackers can gain access to primary keys and notebook blob storage access tokens and gain full administrative access to the data stored in affected Cosmos DB accounts, Wiz said.
In its post on the vulnerability, the Microsoft Security Response Center said that “our investigation indicates that no customer data was accessed because of this vulnerability by third parties or security researchers.”
“We’ve notified the customers whose keys may have been affected during the researcher activity to regenerate their keys,” Microsoft said in the post.
Microsoft sent notifications “to all customers that could be potentially affected due to researcher activity, advising they regenerate their primary read-write key,” according to the article. “Other keys including the secondary read-write key, primary read-only key, and secondary read-only key were not vulnerable.”
Microsoft also published a list of best practices for Azure Cosmos DB users, including using a combination of firewall rules, vNet, and/or Azure Private Link on accounts, using role based access control and implementing regularly scheduled key rotations.
Microsoft disabled the vulnerable feature within 48 hours of Wiz reporting the issue to the tech giant, according to Wiz. “It’s still turned off for all customers pending a security redesign,” according to the report.
“However, customers may still be impacted since their primary access keys were potentially exposed. These are long-lived secrets and in the event of a breach, an attacker could use the key to exfiltrate databases,” according to the report.
Microsoft notified more than 30 percent of Cosmos DB customers that “they need to manually rotate their access keys to mitigate this exposure,” according to the report. “However, we believe many more Cosmos DB customers may be at risk. The vulnerability has been exploitable for at least several months, possibly years.”
“As a precaution, we urge every Cosmos DB customer to take steps to protect their information,” according to the report.
“Every Cosmos DB account that uses the notebook feature, or that was created after January 2021, is potentially at risk. Starting this February, every newly created Cosmos DB account had the notebook feature enabled by default and their Primary Key could have been exposed even if the customer was not aware of it and never used the feature.”
If a customer did not use the feature within three days, the feature was automatically disabled, according to the report. “An attacker who exploited the vulnerability during that window could obtain the Primary Key and have ongoing access to the Cosmos DB account,” the report said.
Microsoft paid Wiz a $40,000 bounty for the report, according to Wiz.