Microsoft has fixed a critical flaw in Cosmos DB that allowed any Azure user to remotely take over other users’ databases without any authorization.
Researchers from Cloud security company Wiz disclosed technical details of a now-fixed Azure Cosmos database vulnerability, dubbed ChaosDB, that could have been potentially exploited by attackers to gain full admin access to other customers’ database instances without any authorization.
The flaw was trivial to exploit and impacts thousands of organizations worldwide.
“#ChaosDB is an unprecedented critical vulnerability in the Azure cloud platform that allows for remote account takeover of Azure’s flagship database – Cosmos DB. The vulnerability, which was disclosed to Microsoft in August 2021 by Wiz Research Team, gives any Azure user full admin access (read, write, delete) to another customers Cosmos DB instances without authorization.” reads the post published by the security firm,
Azure Cosmos Darabase is Microsoft’s globally-distributed multi-model database service.
Wiz experts discovered the vulnerability on August 9 and reported it to Microsoft on the 12th. On August 14, 2021, – the Wiz Research Team observed that the flaw was fixed and on August 16 MSRC acknowledged the flaw.
The same day, credentials obtained by Wiz Research Team had been revoked and on August 17, MSRC awarded a $40,000 bounty for the report. Microsoft publicly disclosed the flaw on August 26, 2021.
“Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.” reads the statement shared by Microsoft with its customers. “We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorized access.”
Wiz experts identified an exploit that leverages a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB that enables an attacker to obtain the credentials corresponding to the target Cosmos DB account, including the Primary Key. These credentials allow users to view, modify, and delete data in the target Cosmos DB account via multiple channels.
Below is a PoC for the CHAOSBD vulnerability:
In order to mitigate the flaw, organizations have to regenerate their Cosmos Database Primary Key following the guide provided by Microsoft. Experts also recommend reviewing all past activity in their Cosmos DB account.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine