On Thursday, Microsoft notified several thousand customers of its Azure cloud services about a critical vulnerability that allowed unauthorized people full access to customers’ cloud databases. The vulnerability affects one of the main products of cloud services, the NoSQL multi-model database CosmosDB. According to Microsoft, the vulnerability is now closed, but affected customers must take action themselves to prevent unauthorized access. This is Reuters reports.
Full access to customer databases
IT Security Specialist Ami Luttwak from Wiz According to a Reuters report The vulnerability was discovered on August 9 and reported to Microsoft three days later. Microsoft told Reuters that the company immediately fixed the issue “to maintain the safety and security of our customers.” We thank the security researchers for their work in the context of coordinated disclosure of the vulnerability. Microsoft also emailed Wiz to announce that it will pay $40,000 for reporting the vulnerability.
Finally, on August 26, Microsoft sent an email to several thousand affected cloud customers. In the news received by Reuters, the company warns its customers that attackers have the opportunity to read, change and even delete all major databases. Luttwak successfully accessed the primary keys with the read and write permission (primary read and write keys), which gave him full access to client databases. Since Microsoft could not change these keys on its own, the company asked its customers to take action and replace the CosmosDB primary key as a precaution. Although the security hole has already closed, customers should finally prevent any potential database breach with this step. Microsoft wrote in the letter that it found no evidence that third parties (except Wiz) had access to the keys.
“The worst vulnerability in the cloud imaginable”
This was the worst vulnerability in the cloud imaginable, Luttwak told Reuters. CosmosDB is the central database for Azure and enables the Wiz team to access any required customer database. Luttwak, Chief Technology Officer of Wiz, was previously the Chief Technology Officer of Microsoft’s Cloud Security Group.
This database service is particularly suitable for global management of large amounts of data, also due to its scalability. That’s why Azure clients like Coca-Cola, Exxon-Mobil, and Citrix use CosmosDB to manage massive amounts of data from around the world in near real-time. CosmosDB has been hailed as one of the easiest and most flexible ways for developers to store data. The database supports critical business functions such as processing millions of transactions or managing customer orders on e-commerce websites. However, each vulnerability in this database inevitably affects thousands of customers.
In a blog post Luttwak describes his discovery of the vulnerability in detail, which he called “ChaosDB”. The attack vector is unlocked by the Jupyter Notebook functionality released by Microsoft in 2019, which customers can use to visualize their data from CosmosDB and create custom views. In February 2021, Microsoft automatically activated this functionality for all CosmosDBs. A number of misconfigurations in the notebook’s functionality have enabled security researchers to extend privileges on the notebook’s enclosure. Without revealing the details yet, security researchers have managed to obtain the primary key of the CosmosDB databases.
This primary key gives access to all CosmosDB databases in Microsoft Azure that are set up with this key. This makes you an administrator with full access (read, write, delete) to the database.
Microsoft is notifying affected customers – but likely not all
Luttwak criticized Microsoft’s warnings to its customers regarding Reuters: The company only wrote to customers whose weak keys appeared in the same month that Wiz discovered and investigated the problem. However, due to the length of time the vulnerability was accessible, the attackers were able to see the keys from many clients – and Microsoft did not inform those clients. When asked about this, Microsoft told Reuters only that potential customers affected had been informed, but did not explain the statement further.
For European Azure cloud customers who have personal data stored in a Cosmos DB instance, the question also arises whether a GDPR backup report should be sent to responsible data protection authorities within 72 hours due to a potential security incident .
Microsoft has already had to struggle with vulnerabilities and vulnerabilities this year. In January, it became known that attackers managed to penetrate the internal Microsoft network through vulnerabilities in the service provider SolarWinds and view the source code. In addition, printer management under Windows has several critical vulnerabilities that administrators need to take action against.
[Update 28.8.2021 16:57 Uhr:] Add more details to the message.