Azure Database Service Flaw Could Affect Thousands of FirmsMicrosoft Mitigates Flaw That Researchers Say Was 'Trivial' to Exploit
A vulnerability in Microsoft Azure's database service Cosmos DB has potentially put at risk thousands of Azure customers, including many Fortune 500 companies, according to the public cloud infrastructure security firm Wiz.
Wiz says the vulnerability, discovered two weeks ago, enabled researchers to gain unrestricted access to the accounts and databases of several thousand Microsoft Azure customers.
On Thursday - the same day Wiz published its blog post describing the vulnerability - Microsoft sent an email to its cloud computing customers, stating that it had been made aware of vulnerability on Aug. 12 and took steps to mitigate it, Wiz reports. "We are not aware of any data access because of this vulnerability," said the note, a screenshot of which was tweeted by Wiz cloud security researcher Sagi Tzadik.
The email we received from Microsoft pic.twitter.com/mJ8EDZZ3AE— sagitz (@sagitz_) August 27, 2021
Wiz says that "a series of flaws in a Cosmos DB feature created a loophole, allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read-write access to the underlying architecture of Cosmos DB."
The Cybersecurity and Infrastructure Security Agency also issued an alert on Friday.
CISA is aware of a misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data. Although the misconfiguration appears to have been fixed within the Azure cloud, CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate keys and to review Microsoft’s guidance on how to Secure access to data in Azure Cosmos DB," CISA says.
The researchers named this vulnerability #ChaosDB. "Exploiting it was trivial and required no other credentials," they say.
When asked by Information Security Media Group for comment, Microsoft responded: "We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under Coordinated Vulnerability Disclosure."
Cloud Computing Risks
The Wiz report highlights the double-edged sword of cloud computing, says Jake Williams, former U.S. National Security Agency's elite hacking team.
In platform-as-a-service offerings, customers don't need to worry about patching - the service provider handles that, says Williams, the co-founder and CTO of breach assessment firm BreachQuest. "But when vulnerabilities are discovered in PaaS, there are many organizations impacted. Vulnerable instances are also easy to find, especially compared to scanning for vulnerable on premises servers. The saving grace is that the platform provider can often patch all vulnerable instances with a single action, preventing any future exploitation."
The Wiz researchers say the Azure flaw enabled them to gain access to customers’ Cosmos DB primary keys. These keys allow complete read, write and delete access to customer data.
"In 2019, Microsoft added a feature called Jupyter Notebook to Cosmos DB, which allows customers to visualize their data and create customized views. The feature was automatically turned on for all Cosmos DBs in February 2021," the researchers note.
A series of misconfigurations in the Notebook feature opened up a new attack vector the researchers were able to exploit, Wiz reports. "In short, the notebook container allowed for a privilege escalation into other customer notebooks. As a result, an attacker could gain access to customers’ Cosmos DB primary keys and other highly sensitive secrets such as the notebook blob storage access token," the researchers say.
Once the Cosmos DB secrets are harvested, an attacker can leverage these keys for full admin access to all the data stored in the affected Cosmos DB accounts, they say. The researchers say they exfiltrated the keys to gain long-term access to the customer assets and data.
"We could then control the customer Cosmos DB directly from the internet, with full read/write/delete permissions," the researchers say. "Now, imagine repeating this process for thousands of different customers across more than 30 regions."
Reuters reports seeing an email from Microsoft indicating it could not change the keys on its own, which is why it emailed its customers, asking them to create new ones.
The news agency also reports that according to an email sent by Microsoft to Wiz, it agreed to pay Wiz $40,000 for finding and reporting the flaw.
Wiz researchers note that Microsoft’s security team took immediate action to address the problem and disabled the vulnerable notebook feature within 48 hours of it being reported. "It’s still turned off for all customers pending a security redesign," they say.
But the long-term exposure of the primary access keys may still impact customers, the researchers say.
"These are long-lived secrets and in the event of a breach, an attacker could use the key to exfiltrate databases. [Thursday], Microsoft notified over 30% of Cosmos DB customers that they need to manually rotate their access keys to mitigate this exposure," the researchers note. "Microsoft only emailed customers that were affected during our short research period. However, we believe many more Cosmos DB customers may be at risk. The vulnerability has been exploitable for at least several months, possibly years."
Cosmos DB accounts that use the Notebook feature or that were created after February were also potentially exposed, the researchers say.
Lack of Control
Although transitioning data repositories to the cloud has many advantages, it also means lack of control of where the data resides, says Ameesh Divatia, CEO of cloud data protection firm Baffle.
"Security practices, such as encryption of sensitive database contents at the application tier along with bring-your-own-key are the right approaches. They help organizations maintain control of their data on infrastructure that they do not own," Divatia says.
"BYOK enables encryption or tokenization of sensitive data records so that only the data owner has access to them. These methods, along with key management solutions that never co-locate the keys with the data, prevent inadvertent disclosure. And if someone pretending to be the cloud service provider’s administrator exfiltrates the data, all they will get is encrypted data, without access to the keys, rendering the breach useless."
Christos Betsios, cyber operations officer at Obrela Security Industries, adds: “Customers should still take action themselves to regenerate new keys for their own databases. If they fail to do this and their keys have already been compromised, an attacker could continue to have access to their databases to exfiltrate data, steal information or even delete items. The incident also highlights how no piece of software is ever free from vulnerabilities. It is therefore critical that organizations layer their security and carry out regular penetration testing, so weaknesses can be identified and remediated before problems occur.”