1. News
  2. Company news
August 27, 2021

Microsoft Azure Cosmos users told: ‘Assume vulnerability’ to ChaosDB exploit

By Robert Scammell

Researchers have discovered a “critical” vulnerability in a Microsoft Azure flagship database product, Cosmos DB, that gives an attacker the ability to read, write and delete Cosmos DB customers’ data.

Microsoft said it has “no indication” that the vulnerability, dubbed “ChaosDB” has been exploited in the wild. However, because ChaosDB has been exploitable for months, Cosmos DB customers are advised to regenerate their Cosmos DB Primary Key – a guide to the process can be found here.

“Every Cosmos DB customer should assume they’ve been exposed,” said Israeli cloud security company Wiz, which discovered the vulnerability, in a blogpost.

Microsoft warned that the ChaosDB vulnerability affects thousands of its customers, including Fortune 500 companies.

Launched in 2017, Cosmos DB is Microsoft’s proprietary database service that is available via the tech giant’s cloud computing platform Azure.

It is used by some of the largest companies in the world to manage their data, including Coca-Cola, ExxonMobil and Schneider Electric. Microsoft uses Cosmos DB in many of its own apps, including Skype, Xbox and Office.

Wiz, which was launched by former Microsoft employees, discovered the vulnerability on 9 August 2021. The cybersecurity startup disclosed the flaw to Microsoft three days later. Within 48 hours Microsoft’s security teams disabled the vulnerable feature, Wiz said.

Wiz isn’t publishing a technical breakdown of the ChaosDB vulnerability, in line with Microsoft’s request, to give time for organisations to get their databases in order. Successful exploitation of ChaosDB allows remote account takeover and grants full admin access.

But Wiz did share a general overview of how the vulnerability works:

“By exploiting a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, a malicious actor can query information about the target Cosmos DB Jupyter Notebook. By doing so, the attacker will obtain a set of credentials related to the target Cosmos DB account, the Jupyter Notebook compute, and the Jupyter Notebook Storage account, including the Primary Key.

Once the attacker has these credentials they are free to steal, modify and delete data on the Cosmos DB account.

Microsoft awarded Wiz $40,000 for the disclosure via its bug bounty programme.

Organisations using Cosmos DB, along with managed service providers (MSPs) and managed security service providers (MSSPs) are advised to regenerate Cosmos DB Primary Keys.

“Service providers and organisations alike must quickly detect and patch vulnerable assets like these, as soon as they are identified,” said Camille Charaudeau, vice president of product strategy at CybelAngel. “Data exposure can be devastating and a proactive approach to security will find these vulnerabilities before they turn into devastating breaches.”

Microsoft has been notifying Cosmos DB customers of the vulnerability and had informed more than 30% as of Thursday.

In a statement, Microsoft said: “We have no indication that external entities outside the researcher had access to the primary read-write key … In addition, we are not aware of any data access because of this vulnerability.

“Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorized access. Out of an abundance of caution, we are notifying you to take the following actions as a precautionary measure.”

Azure Cosmos DB flaw adds to Microsoft woes

The ChaosDB vulnerability follows a testing year for Microsoft’s security teams, which began with Chinese state-sponsored hackers using zero-day exploits to gain full access to on-premises Microsoft Exchange Servers. An estimated 250,000 servers globally were compromised during the attack.

In June, the Russian state-backed group behind the SolarWinds supply chain attack conducted further cyberattacks on Microsoft and its customers.

Then in July researchers mistakenly released a proof-of-concept zero-day exploit that gave attackers remote code execution and local privilege escalation via Microsoft’s Windows Print Spooler software.

On Wednesday Microsoft was one of a handful of tech companies whose representatives met with US President Joe Biden at the White House to discuss ways to boost the country’s cybersecurity.

As part of the initiative, Microsoft said it will invest $20bn over the next five years to “accelerate efforts to integrate cybersecurity by design and deliver advanced security solutions”.