Microsoft has warned thousands of Azure customers of a critical Cosmos DB vulnerability. The bug allows any user remote database management, and grants administrator rights without the need for authorization.
The problem was discovered by the research team of the cloud security company Wiz. Experts named the vulnerability ChaosDB and reported it to Microsoft on August 12, 2021. At the same time, according to the researchers, the vulnerability was hidden in the code “for at least several months, and possibly years.” Microsoft paid Wiz a $40,000 fee for this bug.
The bug allowed attackers to exploit a chain of bugs associated with the work of the open source Jupyter Notebook functionality, which is enabled by default and is designed to help clients visualize data.
The successful operation allowed access to the credentials of other Cosmos DB users, including the primary key that enables full and unrestricted remote access to databases and Microsoft Azure customer accounts.
Microsoft ultimately disabled the feature within 48 hours of receiving the report and notified over 30% of Cosmos DB customers of a potential security breach.
It is worth noting that since February 2021, since all new Cosmos DB instances are created with Jupyter Notebook features enabled, Cosmos DB will automatically disable Notebook functionality if it has not been used within the first three days. This is why the number of affected Cosmos DB clients is so small, it is estimated that about 70% of clients either disabled Jupyter Notebook manually or automated it. However, according to Wiz, the actual number of affected users is likely much higher given the vulnerability has been around for a very long time.
At Microsoft’s request, researchers will have publish technical information about ChaosDB, as it could help attackers develop their own exploits, but experts promise to release a detailed white paper soon.
To mitigate risk and block potential attacks, Microsoft recommends Azure customers to recreate Cosmos DB primary keys that may have been stolen before the affected feature was disabled.
According to Microsoft, there is no evidence that attackers discovered and exploited the Chaos DB vulnerability before the Wiz experts.
Let me remind you that I also talked about the fact that Microsoft Warns of New Print Spooler Vulnerability.