Azure's now-fixed Cosmos DB flaw could have been exploited to read, write any database

2021-08-27 01:16

Infosec outfit Wiz has revealed that Microsoft's flagship Azure database Cosmos DB could have been exploited to grant any Azure user full admin access - including the ability to read, write and delete data - to any Cosmos DB instance on Azure.

Wiz has named the flaw ChaosDB. "By exploiting a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, a malicious actor can query information about the target Cosmos DB Jupyter Notebook," reads Wiz's explanation.

The attacker will obtain a set of credentials related to the target Cosmos DB account, the Jupyter Notebook compute, and the Jupyter Notebook Storage account, including the Primary Key.".

Wiz reckons the fun to be had includes the ability to "View, modify, and delete data in the target Cosmos DB account via multiple channels."

Wiz's advisory claims it found the flaw on August 9, informed Microsoft on the 12th, saw the vulnerable feature had been disabled on the 14th, and noticed some credentials had been revoked on the 16th. Microsoft paid a $40,000 bounty to Wiz on the 17th. Wiz says the Windows giant has advised Azure users to regenerate their Cosmos DB primary keys, ASAP, as a precaution.

A spokesperson for Microsoft told The Register on Thursday: "We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/08/27/chaos_db_azure_cosmos_flaw/

#azure #database