Microsoft Azure Cosmos DB Primary Key Exposure
27 August, 2021
Microsoft has disclosed an issue in their flagship Azure Database, Cosmos DB. Wiz Research Security’s research team discovered the ability to access the Primary Key that controls access to databases used by thousands of companies. This vulnerability has been dubbed as “ChaosDB”. Exploitations could lead to remote account take over by utilizing a chain of vulnerabilities in the Jupyter Notebook feature enabled by default. Microsoft stated there is no indication of exploitation in the wild at this time.
ChaosDB is an “unprecedented” critical vulnerability that exists in the Azure cloud platform. Threat actors can take advantage of vulnerabilities in the Jupyter Notebook feature of Cosmos DB. Successful exploitation will give the actor a set of credentials related to the target Cosmos DB account, and the Jupyter Notebook Storage account including the Primary read-write key. With these credentials, it is possible to view, modify and delete data in the target Cosmos DB account.
The Jupyter Notebook was a feature added in 2019 to allow customers data visualization capabilities. This feature was enabled by default, for all Cosmos DB customers, in February 2021.
At this time Microsoft has fixed the problem and disabled the vulnerable feature. However, the vulnerability has existed for months and Cosmos DB customers are being advised to assume they have been exposed. The primary access keys are long-lived secrets. Microsoft has stated that Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security controls preventing the risk of unauthorized access.
If you are a Cosmo DB customer, we highly recommend that you regenerate all Cosmos DB Primary keys. Instructions have been provided by Microsoft and can be found here.
If you have been contacted by Microsoft regarding potential exposure, please heed their warning and follow all provided instructions and recommendations.
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. SOD is not affected by this vulnerability.
At this time no technical details have been released regarding this exposure. We remain diligent in our efforts to continuously analyze your environment to discover any exploitations related to this vulnerability.
If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.
Wiz Research Blog – ChaosDB Azure Exposure – How They Hacked
Wiz – Critical Vulnerability in Microsoft Azure Cosmos DB – Q&A, Disclosure Timeline
Microsoft Docs – Secure access to data in Azure Cosmos DB – Key Regeneration Instructions