Microsoft is warning customers of a devastating vulnerability in one of its cloud database products, used by thousands of organizations, that appears to have been present for years without anyone being aware of it. Microsoft Azure Cosmos DB cloud databases have had their read-write keys exposed by the flaw, allowing an attacker to not just access the contents but also to change or delete them.
The vulnerability was discovered by security researchers and reported confidentially to Microsoft, which sent an email to customers indicating it has seen no evidence that outside parties have exploited it. However, the company is advising its Cosmos DB customers to create new keys via the “Keys” menu in the Azure portal.
Microsoft cloud databases left exposed for years by faulty default tool
Launched in early 2018, Cosmos DB is estimated to be used by about 3,000 companies in the United States. The vulnerability, dubbed ChaosDB, was discovered by independent security firm Wiz, which cashed in on a $40,000 bug bounty by notifying Microsoft of the issue on August 12.
Though the security researchers notified Redmond of the issue within three days of discovering it, and though Microsoft patched it before Wiz informed the public in a blog post, there are concerns about the vulnerability window. The problem is in the “Jupyter Notebook” visualization tool included with Cosmos DB, which has been included in all cloud databases since 2019 but was enabled by default in February of this year. The tool allows for the easy creation of data visualization charts, but unbeknownst to Microsoft was also leaving an open path from notebook containers to those belonging to other customers on the public cloud via a chain of misconfigurations. Simply accessing the notebook containers of other cloud databases would allow for an attacker to steal their Cosmos DB primary keys and access tokens. Those keys could then be used to achieve full read/write/delete permissions.
The feature is currently disabled as Microsoft makes security changes, but customers are being advised to change the keys of their cloud databases due to the length of potential exposure. Microsoft said that it has reached out to at least 30% of its Cosmos DB customers about the issue at this point, and is not able to change keys for customers. The vulnerability impacts every customer that has ever used the notebook feature at any point, or that created their Cosmos DB account on or after January 2021. Though Cosmos DB has a relatively small share of the cloud databases market, it is used by quite a few large companies: Exxon-Mobil, Quest Diagnostics, Liberty Mutual Insurance, Siemens, Symantec, Coca-Cola, and Jet.com just to name a few.
Microsoft’s recent string of critical security vulnerabilities
Microsoft has had a very difficult year in terms of its reputation for the security of its product line. The company only recently issued a security advisory for the “ProxyShell” collection of Exchange server vulnerabilities, an issue that has been continually plaguing it since late last year with new security holes emerging and being actively exploited by threat actors. On August 21, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that a months-old vulnerability of this type was being exploited to take a foothold in servers and deploy ransomware. And a longstanding vulnerability in its printer drivers, discovered only recently, continues to be a problem as an initial fix had to be revamped due to the emergence of a new means of exploiting the flaw appearing.
Issue with vulnerabilities and misconfigurations in cloud databases
Part of the issue is that vulnerabilities in cloud databases are generally not tracked and documented as well as other categories of vulnerability. These issues are often seen as configuration problems (and thus more of a case of user error or failure to follow documentation guidance) rather than a true security flaw. This can hamper the ability to create fixes and get the word out to potential victims.
Gary Ogasawara, CTO of Cloudian, observes that the security of cloud databases is an area in which organizations have to be especially proactive: “Microsoft’s warning should serve as a wakeup call for organizations relying solely on their cloud provider for security. They must take matters into their own hands to safeguard their data, most importantly protecting it at the storage layer. This includes encrypting data both in flight and at rest to keep cybercriminals from reading it or making it public in any intelligible form. In addition, organizations should have an immutable (unchangeable) backup copy of their data. Immutability prevents such criminals from altering or deleting the data and ensures the ability to recover the uninfected backup copy in the event of a ransomware attack, without having to pay ransom.”
Misconfigurations of cloud databases are one of the most frequently occuring cybersecurity issues at present, costing companies an estimated $5 trillion per year. While these issues may be caused by an inherent vulnerability, they are also often caused by incompatible software or some sort of patch/update inadvertently breaking something. These vulnerabilities are particularly tough as they tend to be easy to find and exploit (sometimes through as simple a means as using web search tools such as Shodan) yet allow the attacker to quickly abscond with a huge amount of valuable confidential company data and records of personal information.
As Ogasawara points out, encryption of sensitive data is an effective failsafe. Organizations are also well served by conducting an adequate schedule of misconfiguration audits that includes removing unnecessary permissions and ensures that proper logging is being done throughout the cloud environment.