Microsoft is warning thousands of its customers of a vulnerability in Azure that left customer data – including for several Fortune 500 companies – completely exposed.
Cloud security company Wiz said in lengthy and detailed post that the flaw – dubbed Chaos DB – is in Azure’s Cosmos DB database. A successful exploit would give any Azure user full admin access to another customer’s Cosmos DB instances without authorization and without previous access to the target environment.
According to Wiz, an attacker would need to exploit a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB and query information about the target Cosmos DB Jupyter Notebook. Doing so gives the attacker a set of credentials related to the target account, the Jupyter Notebook compute and the Jupyter Notebook storage account, including the Primary Key.
Then, the attacker can view, modify and delete data in the Cosmos DB account via multiple channels, the security company says.
The Wiz research team first notified Microsoft on Aug. 12 and disabled the vulnerable feature on Aug. 14. It is unclear if the vulnerability has been exploited in the wild.
Read Next: What Microsoft’s New Pricing Means for IT
“However, the vulnerability has been exploitable for months and every Cosmos DB customer should assume they’ve been exposed,” the company said in the post, which also included a statement from Microsoft to impacted customers:
“Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.
We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorized access. Out of an abundance of caution, we are notifying you to take the following actions as a precautionary measure.”
Admins can further mitigate this risk by regenerating their Cosmos DB Primary Key, and they should also review past activity in the account.
Microsoft on Aug. 20 posted a guide to securing access to data in Azure Cosmos DB, including key rotation and regeneration.
Microsoft only notified customers affected during Wiz’ weeklong research period, so there could be more impacted customers out there.
“Our recommendation is to regenerate your Cosmos DB Primary Key for all accounts that had the Jupyter Notebook feature enabled,” Wiz’ post said.