Last week, researchers from cloud security firm Wiz reported a new vulnerability in Microsoft Azure's managed database service, Cosmos DB, that they called the worst they've ever seen.
According to the researchers, the Azure vulnerability, which they dubbed ChaosDB, gave them "complete, unrestricted access to the accounts and databases of several thousand Microsoft Azure companies, including many Fortune 500 companies."
How did this happen?
In 2019, Microsoft added a feature called Jupyter Notebook to Cosmos DB. It lets companies visualize their data.
"For this feature to work, the notebook needs access to the database," said Avi Nutkis, security engineer at Oak9.
Microsoft automatically turned it on for all their customers earlier this year.
"Unfortunately, they misconfigured this new feature," Nutkis told Data Center Knowledge.
The notebook container allowed users to escalate privileges and get into other customers' notebooks and steal their access keys. Then those keys could be used to access all the data in their Cosmos DB accounts.
"We exfiltrated the keys to gain long-term access to the customer assets and data," said the Wiz researchers, Nir Ohfeld and Sagi Tzadik. "We could then control the customer Cosmos DB directly from the internet."
They had full access. They could read, write and delete data – for thousands of companies.
"This is the first publicly known vulnerability affecting one of the big three public clouds that breaks secure multitenancy," said Oak9's Nutkis. "One tenant – customer – of a cloud provider should not have the ability to access or affect another tenant without authorization. Secure multitenancy is a core building block of public cloud security, and without it, no organization or individual could trust a public cloud."
Microsoft disabled the vulnerable notebooks within two days of learning about the problem. That was pretty fast action, but it was a pretty big problem.
Unfortunately, if any attackers had already gotten their hands on the security keys, they would still have access to the databases.
According to Microsoft, there is no evidence of the Azure vulnerability being exploited by anyone else other than the researchers who discovered it, but they contacted Cosmos DB customers and told them to change their keys just in case.
"What is concerning is that such a minor oversight could have led to a breach of this magnitude," said Dan Petro, lead researcher at security testing firm Bishop Fox. "Typically, there would be many other layers of security that architecturally prevent this kind of access, which apparently were not in place."
Any company, no matter how large, can make a configuration mistake, he said.
"However, being able to access data cross-accounts should not architecturally be possible from a simple misconfiguration," he told Data Center Knowledge.
If you don't know whether you have Cosmos DB accounts with Jupyter notebooks, Wiz security researcher Alon Schindel posted some instructions for how to find out.
He also provided instructions for how to reset the security keys and how to track the key regeneration process.
For those companies that can't reset their keys, Schindel advised limited network access to the affected databases.
Long term, companies should move away from the use of shared security keys.
Francisco Donoso, senior director of global security strategy at Kudelski Security, recommends that companies use role-based access control instead, a set of security tools already available on the Azure cloud.
"Clients can limit data access and administration functions to specific user groups or applications," he told Data Center Knowledge.