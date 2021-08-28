



Enlarge / Cosmos DB is a managed database service that includes both relational and noSQL data structures that belong to Microsoft’s Azure cloud infrastructure.

Cloud security vendor Wiz announced yesterday that it has discovered a vulnerability in Cosmos DB, a managed database service for Microsoft Azure. The vulnerability allows an attacker who finds and exploits a bug to have read / write access to all databases on the service.

Wiz only discovered a vulnerability named “ChaosDB” two weeks ago, but according to the company, the vulnerability is lurking in the system “at least months, and in some cases years.” is.

Pachinko around Jupyter

Cosmos DB’s Jupyter notebook capabilities allow you to achieve many advanced data visualization techniques with relatively little coding experience and effort.

The elevation of privilege vulnerability allowed anyone with a Cosmos DB account to steal the private keys of other Cosmos DB accounts through the Jupyter notebook feature.

Once the attacker obtains the victim’s primary key, excessive read / write / delete access to the game is permanently granted and cannot be revoked without exchanging the affected key.

In 2019, Microsoft added the open source Jupyter Notebook feature to Cosmos DB. Jupyter Notebook is a particularly user-friendly way to implement machine learning algorithms. Microsoft specifically promoted Notebooks as a useful tool for highly visualizing the data stored in Cosmos DB.

The Jupyter Notebook feature was automatically enabled on all Cosmos DB instances in February 2021, but Wiz said the bug in question probably dates back to the first feature introduced by Cosmos DB in 2019. thinking about.

Wiz hasn’t provided all the technical details yet, but in a short version, misconfiguring the Jupyter feature will result in an elevation of privilege exploit. This exploit can be exploited to access the primary keys of other Cosmos DB customers, as well as the primary keys of other Cosmos DB customers based on other secrets.

Accessing the primary key of a Cosmos DB instance is “game over”. This grants full read, write, and delete permissions to the entire database that belongs to that key. Ami Luttwak, Chief Technology Officer of Wiz, described this as “the worst cloud vulnerability you can imagine” and “it was Azure’s central database and could access all the customer databases it needed.” I added.

Advertising longevity secret

Unlike ephemeral secrets and tokens, Cosmos DB primary keys do not expire even if they have already been leaked and have not been modified. An attacker could use that key to steal, manipulate, or even destroy a database years later.

According to Wiz, Microsoft sent an email about this vulnerability to only about 30% of Cosmos DB customers. The email warned the user to manually rotate the primary key to ensure that the leaked key was no longer useful to the attacker. These Cosmos DB customers are those who have enabled the Jupyter Notebook feature in a week or so researched by Wiz. Vulnerability.

Since February 2021, when all new Cosmos DB instances were created with the Jupyter Notebook feature enabled, the Cosmos DB service automatically disabled the Notebook feature if it wasn’t used within the first three days. This is why the number of Cosmos DB customers notified is so small that 70% of customers not notified by Microsoft either manually disabled Jupyter or automatically disabled it because it was not in use. is.

Unfortunately, this does not really cover the full range of vulnerabilities. The Jupyter-enabled Cosmos DB instance is vulnerable and the primary key is not a temporary secret, so it is not possible to determine who has the key for which instance. An attacker with a particular target may have quietly collected the primary key for that target, but has done nothing (yet) unpleasant enough to notice.

It also excludes a broader impact scenario from a fictitious attacker who scraped primary keys for each new Cosmos DB instance during the first three days of the vulnerability window and saved those keys for later use. Cannot be done. If your Cosmos DB instance may have the Jupyter notebook feature enabled, you should rotate the keys immediately for security.

Microsoft response

Microsoft disabled the ChaosDB vulnerability two weeks ago, within 48 hours of Wiz’s private report. Unfortunately, Microsoft cannot change the customer’s primary key itself. Cosmos DB customers are responsible for rotating keys.

According to Microsoft, there is no evidence that a malicious attacker discovered and exploited Chaos DB before the discovery of Wiz. An email statement from Microsoft to Bloomberg states that it “is unaware of the customer data being accessed due to this vulnerability.” In addition to alerting more than 3,000 customers to the vulnerability and providing mitigation measures, Microsoft has paid Wiz a $ 40,000 bounty.

