Home Cyber Crime Microsoft warns of critical Azure Cloud vulnerability impacting Cosmos DB accounts

Microsoft warns of critical Azure Cloud vulnerability impacting Cosmos DB accounts


Charlie Osborne

27 August 2021 at 15:30 UTC

Up to date: 27 August 2021 at 15:36 UTC

Researchers say the problem has been exploitable for ‘months’

Researchers warn a Microsoft Azure vulnerability has been exploitable

Microsoft has urged prospects to take motion following the invention of an Azure Cloud vulnerability permitting distant account takeover in Cosmos DB.

Disclosed by the Wiz safety crew on August 26, the crucial vulnerability, nicknamed ‘#ChaosDB’, was discovered on August 9 and is described as an “unprecedented” flaw within the Azure Cosmos DB database.

As a result of severity of the vulnerability, the complete technical particulars of the bug and the means to take advantage of it haven’t been launched.

Read more of the latest cloud security news

Nonetheless, Wiz says {that a} chain of vulnerabilities discovered within the Jupyter Pocket book function of the platform can be utilized to question details about a goal database and acquire credentials for Cosmos DB accounts, Jupyter Pocket book compute, and Jupyter storage accounts.

This consists of major keys. As soon as an attacker has stolen a key, they may then entry, view, tamper with, and delete info in a Cosmos DB database with out authorization.

MisFortune 500

“The vulnerability has a trivial exploit that doesn’t require any earlier entry to the goal surroundings, and impacts hundreds of organizations, together with quite a few Fortune 500 firms,” Wiz says.

The researchers reported the safety flaw to Microsoft on August 12. The corporate disabled susceptible parts of the Jupyter function inside 48 hours of personal disclosure.

By August 16, Wiz noticed that credentials obtained throughout testing had been revoked, and 24 hours later, the crew have been awarded a $40,000 bug bounty reward.

In the meantime, Microsoft launched its personal investigation and was in a position to affirm that a number of thousand prospects might be affected.

Reducing new keys

The Redmond-based big publicly disclosed the vulnerability on August 26 in an advisory despatched to impacted prospects. As the corporate is unable to roll out major keys on behalf of its prospects, Microsoft is urging prospects to regenerate their keys as quickly as attainable.

“Microsoft has lately turn into conscious of a vulnerability in Azure Cosmos DB that might doubtlessly enable a consumer to realize entry to a different buyer’s sources through the use of the account’s major read-write key,” the corporate mentioned.

Microsoft added that there have been no indicators of exploitation or information theft within the wild, nor that anybody outdoors of Wiz had obtained entry to major read-write keys related to Azure Cosmos DB accounts.

Wiz says that organizations ought to “assume” they’ve been uncovered to assault as a result of size of time it took to seek out and repair the flaw. Roughly 30% of Cosmos DB purchasers have been notified, however the researchers say they consider the variety of prospects impacted could also be “far larger”.

A technical paper describing Wiz’s findings can be printed sooner or later.

CVEs usually are not usually issued for cloud safety issues. Nonetheless, at Black Hat USA 2021 Wiz referred to as for a CVE cloud security initiative that may change this method.

RELATED Rampant misconfigurations in Microsoft Power Apps exposed 38 million records

Source link