If you’re running NoSQL databases on Microsoft’s Azure cloud, chances are you’re running Cosmos DB. And, if that’s you, you’re in trouble. Even Microsoft had admitted that this newly discovered critical vulnerability, ChaosDB, enables intruders to read, change or even delete all your databases.
According to the Microsoft email describing the problem to affected customers, “Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.”
That’s a good thing because according to the cloud security firm, WIZ, which uncovered the ChaosDB security hole, it “gives any Azure user full admin access (read, write, delete) to another customer’s Cosmos DB instances without authorization. The vulnerability has a trivial exploit that doesn’t require any previous access to the target environment and impacts thousands of organizations, including numerous Fortune 500 companies.”
How trivial is the exploit? Very.
According to WIZ, all an attacker needs to do is exploit an easy-to-follow chain of vulnerabilities in Cosmos DB’s Jupyter Notebook. Jupyter Notebook is an open-source web application that is directly integrated with your Azure portal and Cosmos DB accounts. It allows you to create and share documents that contain live code, equations, visualizations, and narrative text. If that sounds like a lot of access to give to a web application, you’re right, it is.
As bad as that is, once you have access to the Jupyter Notebook, you can obtain the target Cosmos DB account credentials, including the databases’ Primary Key. Armed with these credentials, an attacker can view, modify, and delete data in the target Cosmos DB account in multiple ways.
To patch this hole, you must regenerate and rotate your primary read-write Cosmos DB keys for each of the impacted Azure Cosmos DB accounts. That’s easy enough. And, Microsoft claims, while this vulnerability is bad news, you don’t have to worry that much about it. Microsoft states:
We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent [the] risk of unauthorized access. Out of an abundance of caution, we are notifying you to take the following actions as a precautionary measure.
WIZ isn’t so optimistic. While agreeing that Microsoft’s security took immediate action to fix the problem and disabled the vulnerable feature within 48 hours of being told about ChaosDB, the researchers point out that “the vulnerability has been exploitable for months and every Cosmos DB customer should assume they’ve been exposed.”
I agree. It’s far better to be safe than sorry when dealing with a security hole of this size and magnitude.