“Worst cloud vulnerability you can imagine” discovered in Microsoft Azure

Discussion in 'Networking and Security' started by themickey, Aug 28, 2021.

  1. themickey


    “Worst cloud vulnerability you can imagine” discovered in Microsoft Azure
    30% of Cosmos DB customers were notified—more are likely impacted.
    by Jim Salter - Aug 28, 2021

    Cosmos DB is a managed database service offering—including both relational and noSQL data structures—belonging to Microsoft's Azure cloud infrastructure.
    Cloud security vendor Wiz announced yesterday that it found a vulnerability in Microsoft Azure's managed database service, Cosmos DB, that granted read/write access for every database on the service to any attacker who found and exploited the bug.

    Although Wiz only found the vulnerability—which it named "Chaos DB"—two weeks ago, the company says that the vulnerability has been lurking in the system for "at least several months, possibly years."

    A slingshot around Jupyter

    Jupyter notebook functionality in CosmosDB enables many advanced data visualization techniques with relatively little coding experience or effort.

    1. [​IMG]
    2. [​IMG]
    3. [​IMG]
    In 2019, Microsoft added the open-source Jupyter Notebook functionality to Cosmos DB. Jupyter Notebooks are a particularly user-friendly way to implement machine learning algorithms; Microsoft promoted Notebooks specifically as a useful tool for advanced visualization of data stored in Cosmos DB.

    Jupyter Notebook functionality was enabled automatically for all Cosmos DB instances in February 2021, but Wiz believes the bug in question likely goes back further—possibly all the way back to Cosmos DB's first introduction of the feature in 2019.

    Wiz isn't giving away all the technical details yet, but the short version is that misconfiguration in the Jupyter feature opens up a privilege escalation exploit. That exploit could be abused to gain access to other Cosmos DB customers' primary keys—according to Wiz, any other Cosmos DB customer's primary key, along with other secrets.

    Access to a Cosmos DB instance's primary key is "game over." It allows full read, write, and delete permissions to the entire database belonging to that key. Wiz's Chief Technology Officer Ami Luttwak describes this as "the worst cloud vulnerability you can imagine," adding, "This is the central database of Azure, and we were able to get access to any customer database that we wanted."

    Long-lived secrets
    Unlike ephemeral secrets and tokens, a Cosmos DB's primary key does not expire—if it has already been leaked and is not changed, an attacker could still use that key to exfiltrate, manipulate, or destroy the database years from now.

    According to Wiz, Microsoft only emailed 30 percent or so of its Cosmos DB customers about the vulnerability. The email warned those users to rotate their primary key manually, in order to make certain that any leaked keys are no longer useful to attackers. Those Cosmos DB customers are the ones which had Jupyter Notebook functionality enabled during the week or so in which Wiz explored the vulnerability.

    Since February 2021, when all new Cosmos DB instances were created with Jupyter Notebook functions enabled, the Cosmos DB service automatically disabled Notebook functionality if it wasn't used within the first three days. This is why the number of Cosmos DB customers notified was so low—the 70 percent or so of customers not notified by Microsoft had either manually disabled Jupyter or had it disabled automatically due to lack of use.

    Unfortunately, this doesn't really cover the full scope of the vulnerability. Because any Cosmos DB instance with Jupyter enabled was vulnerable, and because the primary key is not an ephemeral secret, it is impossible to know for certain who has the keys to which instances. An attacker with a specific target could have quietly harvested that target's primary key but not done anything obnoxious enough to be noticed (yet).

    We also can't rule out a broader impact scenario, with a hypothetical attacker who scraped the primary key from each new Cosmos DB instance during its initial three-day vulnerability window, then saved those keys for potential later use. We agree with Wiz here—if your Cosmos DB instance might ever have had Jupyter notebook functionality enabled, you should rotate its keys immediately to ensure security going forward.

    Microsoft's response
    Microsoft disabled the Chaos DB vulnerability two weeks ago—less than 48 hours after Wiz privately reported it. Unfortunately, Microsoft cannot change its customers' primary keys itself; the onus is on Cosmos DB customers to rotate their keys.

    According to Microsoft, there's no evidence that any malicious actors found and exploited Chaos DB prior to the Wiz discovery. An emailed statement from Microsoft to Bloomberg said, "We are not aware of any customer data being accessed because of this vulnerability." In addition to warning 3,000+ customers of the vulnerability and providing mitigation instructions, Microsoft paid Wiz a $40,000 bounty.
    d08, kmiklas, fan27 and 1 other person like this.
  2. VicBee


    $40k... that's it? Cheap bastards
    kmiklas and themickey like this.
  3. Trader200K


    Months … Years … thank goodness that was the only one :cool:
    kmiklas likes this.
  4. virtusa


    There are two things I NEVER do:
    • use social media (FB, Twitter, Snapchat...)
    • put something in the cloud
    With 100% certainty using these things will get you in trouble one day.
    SPX Options Trader likes this.
  5. themickey


    Imo, year by year our freedom is slowly being eroded, your details are on computers all over the place, you are being tracked and spied on via your details supplied/required constantly.
    Now with covid-19, this has been a great tool to further tighten down the screws.

    There's no way out bro, unless you decide to become a hermit somewhere without gummint support, then you loose lots of benefits like computer access, healthcare and banking etc.
  6. d08


    The latter I don't necessarily agree with. Consider that the majority of properly run servers are not exploited, at least not in any meaningful way, cloud can be safe, especially if you limit services to the bare minimum. In the end your home machine is not particularly better protected, you're still online and visible to exploiters.
    themickey and VicBee like this.
  7. themickey


    A vaccination certificate which includes your personal details will be on cloud via Medicare/national Health authority.
    No cert means coming restrictions on travel, employment, restaurants, group gatherings.
  8. Ugghh, I can practically feel...a One World Government, and One World Currency being a thing of reality...some time down, the future, far or near, road.
    It's inevitable. Consolidation, and Power. The New World Order, the Illuminati, all foretold in the bible.
    All humans will be chipped, tagged, and inventoried and accounted for 24/7/365. The Powers at be...can control, limit, your life at will.
    Welcome to The Revolution.
    Last edited: Aug 28, 2021
  9. VicBee


    Pills time!
    themickey likes this.
  10. virtusa


    History repeats itself: people start to think that imaginable things are really going to happen.

    Last edited: Aug 29, 2021
    #10     Aug 29, 2021
    themickey likes this.