Though Microsoft addressed the vulnerability within 48 hours of it being reported, additional action is still required by Azure Cosmos DB customers.
Background
Microsoft warned its customers Thursday of a critical vulnerability in its managed Cosmos DB offering in Azure. This exploit allows an attacker with no prior exposure to the environment to gain access to the primary key and unrestricted access to database resources. The vulnerability has been dubbed ChaosDB by Wiz, the Israeli researchers who demonstrated the Proof-of-Concept attack. Microsoft has patched the underlying issue from the managed cloud offering, but additional steps are required to minimize the potential impact.
ChaosDB Details
This vulnerability exploits issues with the Jupyter Notebook to Cosmos DB integration, which was designed to help administrators visualize the data within the Cosmos DB. Through a series of misconfigurations, an attacker can utilize their own instance of Jupyter Notebook to privilege escalate into other customer notebooks. The user can then gain access to the victim’s client keys and other sensitive data.
Microsoft patched the issue and sent advisories to approximately 30% of their Cosmos DB clients, who were directly identified during the research period. Wiz researchers hypothesize more clients could be impacted. Microsoft found no indications that any client DBs were accessed exploiting this vulnerability, but a rotation of keys and a review of audit data in Azure is recommended for all Cosmos DB customers.
Mitigations
Though Microsoft has found no direct indication that this vulnerability has been exploited by any other entities besides the Wiz Researchers, it is highly recommended that you rotate your Cosmos DB client keys immediately. Here is a link to instructions from Microsoft on how to rotate your client keys.
Additional Recommendations from Microsoft:
- Review Cosmos DB audit data for signs of compromised keys.
- Schedule regular rotation and regeneration of primary and secondary keys.
- Utilize Azure Cosmos DB Firewall and virtual network integration to limit network level access.
- If you are utilizing Azure Cosmos DB Core API, consider using Azure Cosmos DB Role Based Access Controls (RBAC). With RBAC enabled, it is possible to completely disable the account’s primary/secondary keys.
- Review Cosmos DB Security Baseline document from Microsoft.
Resources
Wiz ChaosDB Advisory
https://chaosdb.wiz.io/
BleepingComputer Writeup
https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-azure-customers-of-critical-cosmos-db-vulnerability/
Microsoft Guide to Rotating Cosmos DB keys
https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#primary-keys
Microsoft Cosmos DB Security Baseline
https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cosmos-db-security-baseline
WB
