Yesterday, cloud security vendor Wiz announced that it discovered a vulnerability in Microsoft Azure’s managed database service, CosmosDB. This vulnerability allowed any attacker to gain read/write access to every database on the service.
Wiz discovered the vulnerability, which it called "Chaos DB", two weeks ago. However, the company claims that the vulnerability was present in the system for at least several months and possibly even years.
A slingshot around Jupyter
Microsoft has added open-source Jupyter Notebook functionality in Cosmos DB in 2019. Jupyter Notebooks make it easy to implement machine-learning algorithms. Microsoft promoted Notebooks as a useful tool for advanced visualizations of Cosmos DB data.
Jupyter Notebook functionality was automatically enabled for all CosmosDB instances in February 2021. However, Wiz believes that the bug in question probably goes back furtherpossibly all of the way to CosmosDB's initial introduction in 2019.
Wiz has not yet revealed all details, but it is clear that a Jupyter feature misconfiguration opens up a privilege-escalation exploit. This exploit could be used to gain access other Cosmos Database customers' primary keysaccording Wiz, this exploit can be used to gain access to any other Cosmos Database customer's primary key along with other secrets.
The primary key to a Cosmos DB instance is not available. This key grants full read, write and delete rights to all databases that belong to it. Ami Luttwak, Wiz's Chief Technology Officer, describes this as "the most serious cloud vulnerability you could imagine." He adds, "This central database of Azure is where we were able access any customer database we wanted."
Advertisement
Secrets that last a lifetime
Unlike tokens and ephemeral secrets, a Cosmos DB primary key doesn't expire. If it has been leaked already and is not modified, an attacker could still use the key to exfiltrate and manipulate the database for years.
Wiz reports that Microsoft only emailed 30% of its Cosmos DB customers regarding the vulnerability. These users were warned to manually rotate their primary keys in order to prevent attackers from obtaining them. Those Cosmos DB customers were those who had Jupyter Notebook functionality activated during the week in which Wiz discovered the vulnerability.
When all new Cosmos DB instances had Jupyter Notebook functions enabled in February 2021, the Cosmos DB service disabled Notebook functionality if the instance wasn't used within three days. This is why Cosmos DB customers were not notified. About 70% of those customers who weren't notified by Microsoft had either disabled Jupyter manually or had it disabled due to inactivity.
This doesn't cover all the vulnerabilities. Any Cosmos DB instance that had Jupyter enabled was at risk. Furthermore, the primary key isn't an ephemeral secret and it is impossible for anyone to know who holds the keys to which instances. An attacker targeting a specific target might have quietly stolen the primary key of that target but not done anything offensive enough to warrant detection.
A wider impact scenario is possible, where a hypothetical attacker could steal the primary key from every new Cosmos DB instance within its initial three-day vulnerability window and then save those keys for later use. We agree with Wiz that if your Cosmos DB instance ever had Jupyter notebook functionality disabled, you should immediately rotate its keys to ensure security.
Microsoft's Response
Microsoft removed the Chaos DB vulnerability less than 48 hours after Wiz reported it privately. Microsoft cannot alter its customers' primary keys; it is up to Cosmos DB customers, however, to change their keys.
Microsoft claims that there is no evidence that malicious actors discovered and exploited Chaos DB before the Wiz discovery. Microsoft sent Bloomberg an email stating that it was unaware of any customer data being accessed due to this vulnerability. Microsoft sent an email to Bloomberg, advising 3,000+ customers about the vulnerability and giving mitigation instructions. Wiz also received a $40,000 bounty.