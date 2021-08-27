A major flaw in Microsoft's Azure Cosmos DB is putting thousands of companies at risk.

In a blog post Thursday, Wiz security researchers Nir Ohfeld and Sagi Tzadik detailed how they were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including Fortune 500 companies Coca-Cola and Exxon Mobil. The vulnerability, which they dubbed ChaosDB, affects Azure's flagship database service, Cosmos DB.

The story was first reported by Reuters Friday after Microsoft warned thousands of cloud customers their databases may be exposed. Exploiting the flaw could allow an attacker to steal the secret keys of Cosmos DB customers.

Ohfeld and Tzadik first uncovered the flaw two weeks ago, while on a routine search for new attack surfaces in the cloud. What they found was a series of flaws in the CosmosDB feature created a loophole, "allowing any user to download, delete or manipulate a massive collection of commercial databases." And according to the blog, exploiting it was trivial.

First, Ohfeld and Tzadik accessed customers' CosmosDB primary keys by exploiting a new attack vector found in a feature called the Jupyter Notebook. The remedy, as Wiz advises, is for customers to change their keys. Jupyter, a tool for organizing and presenting numbers in a database, was added to Cosmos DB in 2019 by Microsoft. According to the blog, the feature was automatically turned on for all Cosmos DBs this February.

"In short, the notebook container allowed for a privilege escalation into other customer notebooks," Ohfeld and Tzadik wrote in the blog. "As a result, an attacker could gain access to customers' Cosmos DB primary keys and other highly sensitive secrets, such as the notebook blob storage access token."

From there, Ohfeld and Tzadik found that an attacker could leverage the keys for full admin access to all the data stored in the affected Cosmos DB accounts. While they credited Microsoft's security team for taking immediate action to fix the flaw, they also said customers may still be affected, since their primary access keys were potentially exposed.

SearchSecurity contacted Microsoft to find out how many customers were affected, but the scope remains unclear.

"We fixed this issue immediately, to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure," a Microsoft spokesperson said in an email to SearchSecurity.

Potential for future impact Microsoft has notified customers who may have been affected by the vulnerability. A Wiz spokesperson told SearchSecurity that Microsoft emailed 3,300 Azure customers. That's more than 30% of Cosmos DB customers, who were using the vulnerable entry point feature during Wiz's weeklong research period. Jake Kouns, CEO and CISO at Risk Based Security, told SearchSecurity that it is unusual to have not given Azure clients more time to fix the flaw before publicly disclosing. "Now that they have created this media attention, it will likely lead to attackers trying to investigate and exploit this issue faster," he said. While Microsoft says it has not seen evidence that it's been exploited previously, Wiz told SearchSecurity that this is the kind of vulnerability a hacker could exploit without leaving much of a trace. Additionally, the blog states the flaw has existed anywhere from several months to possibly years. "It's highly likely that many, many more Cosmos DB customers were affected," a Wiz spokesperson said in an email to SearchSecurity. "Because the potential exposure is so catastrophic in this case, we're encouraging all customers to change their access keys."