Security News > 2021 > November > ChaosDB: Infosec bods could pull anyone's plaintext Azure Cosmos DB keys at will from Microsoft admin tools
An astonishing piece of vulnerability probing gave infosec researchers a way into to Microsoft's management controls for Azure Cosmos DB - with full read and write privileges over customer databases.
The so-called ChaosDB vuln gave Wiz researchers "Access to the control panel of the underlying service" that hosts Azure Cosmos, Microsoft's managed cloudy document database service, they said.
Thanks to a series of exploitable configuration blunders, the Wiz researchers were able to escape from their own containerised Azure Cosmos instance onto the underlying virtual machine, and then freely roam around Azure Service Fabric - Microsoft's own Kubernetes-style service that controls Azure Cosmos.
The researchers started off by looking closely at Jupyter Notebook within Azure Cosmos.
This got them onto the Windows-based host VM. From there they pivoted to WireServer, an extension manager used to administer Azure VMs. Helpfully, WireServer is an open-source project on GitHub; poking around there gave enough clues to identify some Azure Cosmos certificates in WireServer - and their private keys.
Ohfeld described this to El Reg as "The Holy Grail for an attacker." Tzadik added that a malicious person with those keys could have even encrypted every single customer database within reach - potentially thousands, with a bit more lateral movement through the Azure Cosmos management layer.