Users of Microsoft’s Azure Cosmos DB may be vulnerable to a misconfiguration that allows hackers to download or edit data and the architecture of the database service, according to a report by cybersecurity company Wiz.
The Microsoft Security Response Center published an article on the vulnerability on Friday — saying that Microsoft was contacted on Aug. 12 and “mitigated the vulnerability immediately.”
Wiz believes the vulnerability has existed for at least several months and possibly years. The company issued a report on Thursday with some details on a Cosmos DB vulnerability — which the company dubs “ChaosDB” — involving the Cosmos DB data visualization feature Jupyter Notebook, which Microsoft automatically turned on for Cosmos DB users in February.
“The notebook container allowed for a privilege escalation into other customer notebooks,” according to the report from Wiz, which is based in Palo Alto, Calif., and Tel Aviv. Attackers can gain access to primary keys and notebook blob storage access tokens and gain full administrative access to the data stored in affected Cosmos DB accounts, Wiz said.
Microsoft did not respond to a request for comment from CRN.
Phil Walker, CEO of Manhattan Beach, Calif.-based Microsoft partner Network Solutions Provider, a member of CRN’s 2021 Managed Service Provider 500, told CRN that Microsoft’s quick response time and addressing of the problem is the type of “muscle” cloud users should demand from cloud vendors.
Even though cloud tools are susceptible to vulnerabilities like ChaosDB and massive outages, the insights and efficiencies they create for businesses are still worth the risks, Walker said.
“There are going to be vulnerabilities and issues that are going to pop up that we didn’t plan for” in cloud tools, Walker said. But cloud tools are “absolutely still worth adopting because of the business impact. It‘s still such a huge growth piece that it’s worth the risk. It’s really about the vendor that you’ve picked and the resources they have.”
In its post on the vulnerability, the Microsoft Security Response Center said that “our investigation indicates that no customer data was accessed because of this vulnerability by third parties or security researchers.”
“We’ve notified the customers whose keys may have been affected during the researcher activity to regenerate their keys,” Microsoft said in the post.
Microsoft sent notifications “to all customers that could be potentially affected due to researcher activity, advising they regenerate their primary read-write key,” according to the article. “Other keys including the secondary read-write key, primary read-only key, and secondary read-only key were not vulnerable.”
Microsoft also published a list of best practices for Azure Cosmos DB users, including using a combination of firewall rules, vNet, and/or Azure Private Link on accounts, using role based access control and implementing regularly scheduled key rotations.
Microsoft disabled the vulnerable feature within 48 hours of Wiz reporting the issue to the tech giant, according to Wiz. “It’s still turned off for all customers pending a security redesign,” according to the report.
“However, customers may still be impacted since their primary access keys were potentially exposed. These are long-lived secrets and in the event of a breach, an attacker could use the key to exfiltrate databases,” according to the report.
Microsoft notified more than 30 percent of Cosmos DB customers that “they need to manually rotate their access keys to mitigate this exposure,” according to the report. “However, we believe many more Cosmos DB customers may be at risk. The vulnerability has been exploitable for at least several months, possibly years.”
“As a precaution, we urge every Cosmos DB customer to take steps to protect their information,” according to the report. “Every Cosmos DB account that uses the notebook feature, or that was created after January 2021, is potentially at risk. Starting this February, every newly created Cosmos DB account had the notebook feature enabled by default and their Primary Key could have been exposed even if the customer was not aware of it and never used the feature.”
If a customer did not use the feature within three days, the feature was automatically disabled, according to the report. “An attacker who exploited the vulnerability during that window could obtain the Primary Key and have ongoing access to the Cosmos DB account,” the report said.
Microsoft paid Wiz a $40,000 bounty for the report, according to Wiz.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, issued a statement on the vulnerability on Friday.
“CISA is aware of a misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data,” according to the statement. “Although the misconfiguration appears to have been fixed within the Azure cloud, CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate keys and to review Microsoft’s guidance on how to Secure access to data in Azure Cosmos DB.”