Explained: The Microsoft Azure cloud vulnerability

30 Aug 2021

Image: © Maksim Kabakou/Stock.adobe.com

What is ChaosDB and how has it affected Azure users? Here’s what you need to know about the major Microsoft vulnerability that recently came to light.

Last week, cloud security vendor Wiz said it found what was described as “the worst cloud vulnerability you can imagine” in Microsoft Azure’s managed database service.

The vulnerability left thousands of Azure customers, including several Fortune 500 companies, exposed for the last two years.

But what exactly happened and what does it mean for Azure customers?

The vulnerability uncovered by the Wiz research team was within the Microsoft Azure Cosmos DB, a fully managed NoSQL database service for modern app development.

According to the Wiz team, a series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read-write access to the underlying architecture of Cosmos DB.

“We named this vulnerability #ChaosDB. Exploiting it was trivial and required no other credentials,” the Wiz team said.

How the vulnerability works

The ChaosDB vulnerability meant that it was possible for malicious actors to gain access to the primary digital keys for most users of the Cosmos DB database system. This is considered the holy grail for attackers as it would then give them permission to read, write, delete and steal the entire database belonging to that key.

The vulnerability came about via a new visualisation feature that Microsoft added in 2019, called Jupyter Notebook. According to Wiz, a series of misconfigurations in that feature meant an attacker could gain access to customers’ Cosmos DB primary keys.

The feature was automatically turned on for all Cosmos DB users in February 2021.

Speaking to Reuters, Wiz’s chief technology officer Ami Luttwak described this as “the worst cloud vulnerability you can imagine”.

Luttwak, who is also a former chief technology officer at Microsoft’s cloud security group, added that this is the central database of Azure. “We were able to get access to any customer database that we wanted.”

Cosmos DB counts major companies such as Liberty Mutual, Skype, Citrix and Symantec among its users.

Rectifying the issue

According to Microsoft, the vulnerability was reported on 12 August and was mitigated immediately.

The company said its own investigation indicated that no customer data was accessed because of this vulnerability and that it has notified customers who may have been affected.

“This vulnerability only affects a subset of customers who had the Jupyter Notebook feature enabled. Notifications have been sent to all customers that could be potentially affected due to researcher activity, advising they regenerate their primary read-write key. Other keys including the secondary read-write key, primary read-only key, and secondary read-only key were not vulnerable,” said Microsoft.

However, while Wiz said Microsoft’s security team deserves “enormous credit” for moving so fast to correct the vulnerability, it also said that more customers may be affected than those the tech giant notified.

“As a precaution, we urge every Cosmos DB customer to take steps to protect their information,” it said.

What Azure customers need to do

While Microsoft has said it patched the vulnerability and notified customers it believes may be impacted, the company can’t change its customers’ primary access keys itself.

This is why it requested affected customers to manually change their keys in order to mitigate exposure.

Both the Wiz security team and the US Cybersecurity and Infrastructure Security Agency have advised that all Azure Cosmos DB customers roll and regenerate their certificate keys to protect their data.

Luttwak told Reuters that he believes “it’s really hard for [Microsoft], if not impossible, to completely rule out that someone used this before”.

Microsoft has outlined a step-by-step guide for customers on how to regenerate their primary read-write key in this blog post.

Jenny Darmody is the editor of Silicon Republic

editorial@siliconrepublic.com