Microsoft cloud databases of Fortune 500 companies exposed by critical Cosmos DB bug
Microsoft has urged thousands of its customers to manually rotate their access keys after security researchers found a critical vulnerability in its flagship CosmosDB database that gave them full admin access for customers including several Fortune 500 multinationals, in the latest major security scare for Microsoft customers.
Cosmos DB is a fully managed NoSQL database service for modern applications. Microsoft names Mercedes Benz, ExxonMobil, ASOS, Symantec, and others as users on its homepage. (The database is often used for ecommerce workloads and IOT device telemetry: The Stack understands that Microsoft itself uses Cosmos DB to collate the data provided by telemetry from the devices of tens of millions of Microsoft users globally.)
Cloud security firm Wiz reported the CosmosDB vulnerability (which it dubbed “ChaosDB”) to Microsoft on August 12. The initial vulnerable feature (first introduced in February 2021) that exposed the cloud database access keys was disabled 48 hours later, it said, adding that exploiting the Cosmos DB vulnerability was “trivial”.
“Every CISO’s nightmare is someone getting their access keys and exfiltrating gigabytes of data in one fell swoop” Wiz’s Nir Ohfeld and Sagi Tzadik wrote. “So you can imagine our surprise when we were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies.”
(Wiz has provided few technical details to help defenders understand the “series of misconfigurations in the notebook feature” but has promised to “share technical details on the escalation soon”.)
CosmosDB vulnerability: DataViz tool roots…
The Cosmos DB vulnerability could be exploited in a series of steps that started by gaining access to customers’ Cosmos DB primary keys through a native data visualisation feature called Jupyter Notebook.
Primary keys are “the holy grail for attackers – they are long-lived and allow full READ/WRITE/DELETE access to customer data” as Israel-based Wiz noted in its write-up, published August 26, 2021.
The feature had been turned on automatically for all Cosmos DBs in February 2021.
Reuters and others reported Microsoft has circulating the following email to Cosmos DB users.
“Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately. We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms…”
Wix, founded in 2020 in Tel Aviv, has previously identified vulnerabilities in AWS services also, detailing in an earlier blog that “in some cases, AWS services (CloudTrail, AWS Config and Serverless Repository) could be manipulated to give anyone access to the specific resources of other customers.”
(The curious can see slides from Wiz’s Black Hat 2021 presentation here).
With the bug requires updating of resource policies by AWS users themselves, many customers have been predictably tardy with patching/updating, Wiz suggested in another August 2021 blog, noting that “five months after the policies were fixed, a survey we conducted of AWS environments showed that over 90% of Serverless Repository buckets were still improperly configured and vulnerable. Our survey also found that over 25% of environments were still using the misconfigured CloudTrail policy.”