“Worst cloud vulnerability you can imagine” discovered in Microsoft Azure
Cloud security provider Wiz announced yesterday that it found a vulnerability in Microsoft Azure’s managed database service, Cosmos DB, which granted read / write access to every database in the service to any attacker who found and exploited the bug.
Although Wiz only found the vulnerability – which he named “Chaos DB” – two weeks ago, the company claims that the vulnerability has been lurking in the system for “at least several months, if not years.” .
A sling around Jupyter
In 2019, Microsoft added the open source Jupyter Notebook feature to Cosmos DB. Jupyter notebooks are a particularly user-friendly way to implement machine learning algorithms; Microsoft has promoted Notebooks specifically as a useful tool for advanced visualization of data stored in Cosmos DB.
The Jupyter Notebook feature was automatically enabled for all instances of Cosmos DB in February 2021, but Wiz believes the bug in question probably dates further back, possibly until the first introduction of the feature by Cosmos DB in 2019. .
Wiz doesn’t give all the technical details yet, but the short version is that a misconfiguration in the Jupyter feature opens up a privilege escalation exploit. This exploit could be abused to access the primary keys of other Cosmos DB clients – according to Wiz, all primary key of another Cosmos DB client, as well as other secrets.
Access to the primary key of a Cosmos DB instance is “game over”. It grants full read, write, and delete permissions to the entire database owned by that key. Wiz CTO Ami Luttwak describes it as “the worst cloud vulnerability you can imagine,” adding, “This is Azure’s central database, and we were able to access n ‘any customer database we wanted “.
Unlike secrets and ephemeral tokens, the primary key of a Cosmos database does not expire. If it has already been disclosed and is not modified, an attacker could still use this key to exfiltrate, manipulate or destroy the database years from now.
According to Wiz, Microsoft has only emailed about 30% of its Cosmos DB customers about the vulnerability. The email warned these users to rotate their primary key manually, to ensure that the leaked keys are no longer useful to attackers. These Cosmos DB clients are the ones who activated the Jupyter Notebook feature in the approximately week that Wiz explored the vulnerability.
As of February 2021, when all new Cosmos DB instances were created with Jupyter Notebook features enabled, the Cosmos DB service automatically disabled the Notebook feature if it was not used in the first three days. This is why the number of notified Cosmos DB customers was so low: around 70% of customers not notified by Microsoft had either manually disabled Jupyter or disabled it automatically due to lack of use.
Unfortunately, that doesn’t really cover the full scope of the vulnerability. Since any instance of Cosmos DB with Jupyter enabled was vulnerable and the primary key is not an ephemeral secret, it is impossible to know for sure who holds the keys for which instances. An attacker with a specific target could have quietly harvested that target’s primary key but not done anything obnoxious enough to be noticed (yet).
We also cannot rule out a larger impact scenario, with a hypothetical attacker who retrieved the primary key of each new Cosmos DB instance during its initial three-day vulnerability window, and then saved those keys for a period of time. potential further use. We agree with Wiz here, if your Cosmos DB instance already have enabled Jupyter Notepad feature, you must rotate its keys immediately to ensure security in the future.
Microsoft disabled the Chaos DB vulnerability two weeks ago, less than 48 hours after Wiz privately reported it. Unfortunately, Microsoft cannot change its customers’ primary keys on its own; it is the responsibility of Cosmos DB customers to turn their keys.
According to Microsoft, there is no evidence that a malicious actor found and exploited Chaos DB prior to Wiz’s discovery. An email statement from Microsoft to Bloomberg said, “We are not aware of access to customer data due to this vulnerability.” In addition to notifying more than 3,000 customers of the vulnerability and providing mitigation instructions, Microsoft paid Wiz a bounty of $ 40,000.