Big Azure Cosmos DB flaw could allow full takeover of cloud accounts
30 August 2021 | 0
Microsoft has warned users of its Azure Cosmos DB service to renew security keys used in the service following the discovery of a bug that could allow attackers to take over cloud accounts.
In an advisory, Microsoft said it had become aware of “a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key.”
Microsoft said it mitigated the vulnerability immediately and launched an investigation that found no third parties or security researchers accessed customer data via this vulnerability.
“We’ve notified the customers whose keys may have been affected during the researcher activity to regenerate their keys,” it said.
Security researchers at cyber security firm Wiz originally disclosed the flaw. Dubbed #ChaosDB, the flaw in the Azure cloud platform that allows for remote account takeover of Azure’s Cosmos DB database. The flaw gives any Azure user full admin access – read, write, delete – to other customers’ Cosmos DB instances without authorisation.
“The vulnerability has a trivial exploit that doesn’t require any previous access to the target environment, and impacts thousands of organisations, including numerous Fortune 500 companies,” said researchers.
Researchers said by exploiting a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, a malicious actor can query information about the target Cosmos DB Jupyter Notebook. By doing so, the attacker will obtain a set of credentials related to the target Cosmos DB account, the Jupyter Notebook compute, and the Jupyter Notebook Storage account, including the Primary Key.
“Using these credentials, it is possible to view, modify, and delete data in the target Cosmos DB account via multiple channels,” said researchers. They added that all users should now review all past activity in their Cosmos DB accounts.
The security flaw was disclosed to Microsoft on 12 August. The company disabled vulnerable elements of Jupyter within 48 hours.
Microsoft urged customers to regenerate their primary read-write keys following the steps described in a technical documentation and use role-based access controls. It added that it was ”actively exploring implementing additional safeguards including updating the threat model and adding additional monitoring to detect unintended data access.”
© Dennis Publishing
Professional Development for IT professionals
The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. Membership of the ICS typically reduces courses by 20%. Find out more