Home News Microsoft warns Azure customers of critical Cosmos DB vulnerability

    Microsoft warns Azure customers of critical Cosmos DB vulnerability


    Microsoft has warned hundreds of Azure prospects {that a} now-fixed important vulnerability present in Cosmos DB allowed any consumer to remotely take over different customers’ databases by giving them full admin entry with out requiring authorization.

    Azure Cosmos DB is a globally distributed and absolutely managed NoSQL database service utilized by high-profile prospects, together with Mercedes Benz and Symantec.

    “Microsoft has just lately change into conscious of a vulnerability in Azure Cosmos DB that would doubtlessly enable a consumer to realize entry to a different buyer’s assets by utilizing the account’s major read-write key,” the corporate informed prospects.

    “We have now no indication that exterior entities exterior the researcher had entry to the first read-write key related together with your Azure Cosmos DB account(s). As well as, we’re not conscious of any knowledge entry due to this vulnerability.”

    The cloud safety agency Wiz’s analysis staff, who found the safety flaw, dubbed it ChaosDB and disclosed it to Microsoft on August 12, 2021.

    The bug enabled attackers to take advantage of a series of bugs within the Jupyter Pocket book characteristic to realize entry to different customers’ Cosmos DB credentials, together with their major key, which allowed them to remotely learn, write, or delete their targets’ knowledge.

    “The vulnerability has a trivial exploit that does not require any earlier entry to the goal setting, and impacts hundreds of organizations, together with quite a few Fortune 500 corporations,” the researchers mentioned.

    ChaoDB exploitation movement (Wiz)

    Microsoft disabled the weak entry level characteristic inside 48 hours after receiving the report and alerted greater than 30% of Cosmos DB prospects a few potential safety breach on August 26, two weeks after disabling the buggy Jupyter Pocket book characteristic.

    Nevertheless, in line with the Wiz analysis staff, the precise variety of impacted prospects is probably going loads bigger because it in all probability contains most Cosmos DB prospects, provided that the ChaosDB vulnerability was current and will’ve been exploited for months earlier than their disclosure.

    To mitigate the danger and block potential assaults, Microsoft advises Azure prospects to regenerate the Cosmos DB Primary Keys that would’ve been stolen earlier than the weak characteristic was disabled.

    The corporate additionally suggested prospects to take the next advisable actions to additional safe their Azure Cosmos DB databases: 

    1. Schedule an everyday rotation and regeneration of your major and secondary keys.
    2. As a typical safety finest apply, think about using the Azure Cosmos DB firewall and digital community integration to regulate the entry to your accounts on the community degree.
    3. If you’re utilizing the Azure Cosmos DB Core (SQL) API, think about using the Azure Cosmos DB role-based entry management (RBAC) to authenticate your database operations with Azure Lively Listing as a substitute of major/secondary keys. With RBAC, you have got the choice to fully disable your account’s major/secondary keys.
    4. For an entire overview of the safety controls out there on Azure Cosmos DB, consult with our safety baseline. 

    Reviewing all previous exercise on their Cosmos DB accounts can be advisable to detect earlier makes an attempt to take advantage of this vulnerability.

    Whereas, at Microsoft’s request, the researchers haven’t but launched technical data relating to the ChaosDB flaw that would assist menace actors create their very own exploits, they may publish a full technical paper quickly. 

    The Wiz analysis staff has additionally just lately disclosed a new class of DNS vulnerabilities impacting main DNS-as-a-Service (DNSaaS) suppliers that would allow attackers to entry delicate information from company networks in what was described as “nation-state degree spying” campaigns.

    Disclosure Timeline:

    • August 09, 2021 – Wiz Analysis Group first exploited the bug and gained unauthorized entry to Cosmos DB accounts.
    • August 12, 2021 – Wiz Analysis Group despatched the advisory to Microsoft.
    • August 14, 2021 – Wiz Analysis Group noticed that the weak characteristic has been disabled.
    • August 16, 2021 – MSRC confirmed the reported habits (MSRC Case 66805).
    • August 16, 2021 – Wiz Analysis Group noticed that some obtained credentials had been revoked.
    • August 17, 2021 – MSRC awarded a $40,000 bounty for the report.
    • August 23, 2021 – MSRC confirms that a number of thousand prospects are impacted.
    • August 26, 2021 – Public disclosure.

    Source link