Microsoft warned thousands of its cloud computing customers, including several Fortune 500 companies, after a research team at security company Wiz discovered it was able to access keys that control access to main databases.
Intruders could have the ability to read, change or even delete their main databases, Wiz researchers warned.
Wiz’s Nir Ohfeld and Sagi Tzadik wrote in a blog: “Wiz’s security research team constantly looks for new attack surfaces in the cloud, and two weeks ago we discovered an unprecedented breach that affects Azure’s flagship database service, Cosmos DB.
“Some of the world’s biggest businesses use Cosmos DB to manage massive amounts of data from around the world in near real-time. As one of the simplest and most flexible ways for developers to store data, it powers critical business functions like processing millions of prescription transactions or managing customer order flows on e-commerce sites.”
Because Microsoft cannot change those keys by itself, it emailed the customers telling them to create new ones. Microsoft agreed to pay Wiz USD40,000 for finding the flaw and reporting it, said Reuters.
In its email to the customers, Microsoft said it had fixed the vulnerability and that there was no evidence the flaw had been exploited. “We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key,” Reuters quoted the email content.
Although Wiz only found the vulnerability two weeks ago, the company said it has been lurking in the system for “at least several months, possibly years”.
In the blog, Wiz explained how it found the vulnerability. “First, we gained access to customers’ Cosmos DB primary keys. Primary keys are the holy grail for attackers – they are long-lived and allow full READ/WRITE/DELETE access to customer data.
“In 2019, Microsoft added a feature called Jupyter Notebook to Cosmos DB that lets customers visualise their data and create customized views. The feature was automatically turned on for all Cosmos DBs in February 2021.
“A series of misconfigurations in the notebook feature opened up a new attack vector we were able to exploit. In short, the notebook container allowed for a privilege escalation into other customer notebooks.
As a result, an attacker could gain access to customers’ Cosmos DB primary keys and other highly sensitive secrets such as the notebook blob storage access token.
“Next, after harvesting the Cosmos DB secrets, we showed that an attacker can leverage these keys for full admin access to all the data stored in the affected accounts. We exfiltrated the keys to gain long-term access to the customer assets and data. We could then control the customer Cosmos DB directly from the internet, with full read/write/delete permissions.”
While Microsoft notified over 30% of Cosmos DB customers that they need to manually rotate their access keys to mitigate this exposure, Wiz believes many more Cosmos DB customers may be at risk. The vulnerability has been exploitable for at least several months, possibly years.
