Cloud infrastructure security company Wiz on Thursday revealed details of a now-fixed Azure Cosmos database vulnerability that could be exploited to grant any Azure user full administrator access to other customer database instances without any authorization.
The vulnerability grants read, write, and delete permissions and is dubbed "ChaosDB," Wiz researchers noted. "The vulnerability has a trivial exploit that does not require any prior access to the target environment and affects thousands of organizations, including Numerous Fortune 500 companies.”
Stack Overflow Team
Cosmos DB is Microsoft's proprietary NoSQL database that's billed as "a fully managed service" that "takes database management out of your hands with automated management, updates, and patching."
The Wiz research team reported the issue to Microsoft on August 12, after which the Windows maker took steps to mitigate the issue within 48 hours of responsible disclosure and offered a $40,000 bounty to the finder on August 17.
"We have no indication that external entities other than the researchers had access to the primary read-write keys associated with your Azure Cosmos DB account," Microsoft said in a statement. "Additionally, we are not aware of any data as a result of this vulnerability. Access. Azure Cosmos DB accounts with vNET or firewall enabled are protected by additional security mechanisms to prevent the risk of unauthorized access."
The vulnerabilities discovered by Wiz involve a series of vulnerabilities in Cosmos DB's Jupyter Notebook functionality that allowed an attacker to obtain credentials corresponding to a targeted Cosmos DB account, including the Primary Key, which provides access to database account management resources.
Enterprise password management
"Using these credentials, data in the target Cosmos DB account can be viewed, modified, and deleted through multiple channels," the researchers said. Therefore, any Cosmos DB assets with Jupyter Notebook functionality enabled may be affected.
Although Microsoft notified more than 30% Cosmos DB customers about the potential security vulnerability, Wiz expects the actual number to be higher because the vulnerability has been exploited for months.
"Every Cosmos DB customer should assume they have been exposed," Wiz researchers noted, adding, "We also recommend that you review all past activity in your Cosmos DB account." Additionally, Microsoft is urging its customers to regenerate their Cosmos DB primary keys to mitigate any risk caused by this flaw.
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/serious-vulnerability-found-in-cosmos-database-html