Microsoft Azure Flaw ChaosDB Exposes Cosmos Database

What Happened?

On August 27, Wiz, a cloud security provider, publicly disclosed a series of flaws in Azure’s database service, Cosmos DB, that enables any user to download, remove or change company databases without any other credentials. 

The flaw was found in Jupyter Notebook, an open-source visualization tool often used for statistical modeling, machine learning, and data cleaning. Although the tool has been available in Cosmos since 2019, Microsoft enabled it by default for Cosmos in February 2021. 

To gain access to the Cosmos database, Wiz researchers first accessed customers’ Cosmos primary keys, which enable full read, write and delete access to customer data. The notebook container allowed for privilege escalation into other customers’ notebooks, according to Wiz. 

Wiz researchers discovered the vulnerability, which they named ChaosDB, on August 9 and informed Microsoft on August 12. Microsoft disabled the buggy Jupyter Notebook feature on August 14. The vulnerability has not been exploited in the wild, and no customer data was affected, according to Microsoft. 

However, Microsoft’s recent track record for effectively communicating about its vulnerabilities has been suspect, according to various security experts. Microsoft caused confusion during July’s PrintNightmare incident when it first misdiagnosed the severity of the bug, only to update the documentation later on with confirmation that the vulnerability was a remote code execution.

According to Wiz, Microsoft only warned 30% of its customers about the vulnerability. The actual number of customers affected by ChaosDB is higher, Wiz researchers claimed.

How Bad is This?

Wiz CTO Ami Luttwak, who was previously CTO of Microsoft’s Cloud Security Group, called ChaosDB “the worst cloud vulnerability you can imagine.” The flaw left customers’ Cosmos DB databases exposed for the last two years. 

If someone other than Wiz had found the same flaw between February 2021 and now and was able to find and enumerate a company’s Cosmos DB, there would have been far more risk.   

However, the flaw was mitigated when Microsoft disabled the buggy Juptyer Notebook feature, according to Wiz. 

What Should I Do?

Microsoft advises all Cosmos DB customers to regenerate their primary keys, a task that Microsoft cannot complete on their customers’ behalf. 

The company also provided several other steps to secure Cosmos DB:

• As a standard security best practice, consider using the Azure Cosmos DB firewall and virtual network integration to control the access to your accounts at the network level.

• If you are using the Azure Cosmos DB Core (SQL) API, consider using the Azure Cosmos DB role-based access control (RBAC) to authenticate your database operations with Azure Active Directory instead of primary/secondary keys. With RBAC, you have the option to completely disable your account’s primary/secondary keys.

• For a complete overview of the security controls available on Azure Cosmos DB, refer to our security baseline. 

Cloud customers should be aware of the inherent risks involved with allowing a vendor to store customer data. Cloud services aren’t assigned CVEs, so flaws like ChaosDB get silently patched. A customer may or may not get notified about their exposure because it is up to the vendor to decide whether to perform secure auditing or pentesting. 

Security experts, including those at Wiz, believe that there should be an industry initiative to develop a CVE repository for cloud services. 

There is a massive gap in cloud security, by the way. No CVE numbers are issued for flaws, and suppliers aren’t required to disclose flaws. Cloud services aren’t magically secure.

You’ll notice public disclosure of this comes from an external researcher.

— Kevin Beaumont (@GossiTheDog) August 27, 2021

How To Detect

Organizations running cloud services should have monitoring capabilities in place to avoid exposure to flaws like ChaosDB. As Wiz notes in their latest update a number of the actions involved in this are not logged out without additional efforts, such as the last time a key was regenerated. However, there are a number of opportunities for monitoring to ensure your data is audited and properly secure.

IT and security teams should be able to monitor:

• Azure Access to IAM and other administrative actions 
• Azure Cosmos DB Access via Role Base Access by enabling Diagnostic Logs
• Malicious access to other systems like Office 365 and Azure AD where these accounts may have roles that can impact your cloud infrastructure

How Blumira Secures Azure Cloud 

Blumira’s cloud-based security leverages threat intelligence and behavioral analytics to detect attacker attempts to log in to your systems, including geo-impossible logins and fraudulent login attempts that could indicate the theft of usernames and passwords.

Blumira easily integrates with AWS and Microsoft Azure to detect misconfigurations, suspicious logins and other behaviors to limit its security impact on your environment.