Huge Vulnerability: Microsoft Cloud Customers Exposed
Microsoft Azure is facing another security headache, with customers of flagship database service CosmosDB – including Fortune 500 firms – being urged to immediately rotate their access keys to guard against a serious new breach.
The vulnerability, named ChaosDB by its discoverers at security firm Wiz, Nir Ohfeld and Sagi Tzadik, exploits a data visualisation feature called Jupyter Notebook (below) which was added in 2019 and automatically turned on for all customers in February 2021.
Ohfeld and Tzadik say security issues with Jupyter Notebook meant intruders could gain access to users’ primary keys, and from there, gain read, write, and delete access to their entire databases.
“Database exposures have become alarmingly common in recent years as more companies move to the cloud, and the culprit is usually a misconfiguration in the customer’s environment. In this case, customers were not at fault.
“Rather, a series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB,” the Wiz team said.
According to Ohfeld and Tzadik, while Microsoft’s security team disabled the vulnerable feature within 48 hours of being notified, accounts using the notebook feature or that were created after January 2021 could still be at risk.
“Starting this February, every newly created Cosmos DB account had the notebook feature enabled by default and their Primary Key could have been exposed even if the customer was not aware of it and never used the feature.
“If the customer didn’t use the feature in the first three days, it was automatically disabled. An attacker who exploited the vulnerability during that window could obtain the Primary Key and have ongoing access to the Cosmos DB account,” they said.
ChaosDB is yet another security problem for Microsoft, following the SolarWinds hack and the discovery of the PrintNightmare exploit earlier this year.