On August 27, Wiz, a cloud security provider, publicly disclosed a series of flaws in Azure’s database service, Cosmos DB, that enables any user to download, remove or change company databases without any other credentials.
The flaw was found in Jupyter Notebook, an open-source visualization tool often used for statistical modeling, machine learning, and data cleaning. Although the tool has been available in Cosmos since 2019, Microsoft enabled it by default for Cosmos in February 2021.
To gain access to the Cosmos database, Wiz researchers first accessed customers’ Cosmos primary keys, which enable full read, write and delete access to customer data. The notebook container allowed for privilege escalation into other customers’ notebooks, according to Wiz.
Wiz researchers discovered the vulnerability, which they named ChaosDB, on August 9 and informed Microsoft on August 12. Microsoft disabled the buggy Jupyter Notebook feature on August 14. The vulnerability has not been exploited in the wild, and no customer data was affected, according to Microsoft.
However, Microsoft’s recent track record for effectively communicating about its vulnerabilities has been suspect, according to various security experts. Microsoft caused confusion during July’s PrintNightmare incident when it first misdiagnosed the severity of the bug, only to update the documentation later on with confirmation that the vulnerability was a remote code execution.
According to Wiz, Microsoft only warned 30% of its customers about the vulnerability. The actual number of customers affected by ChaosDB is higher, Wiz researchers claimed.
Wiz CTO Ami Luttwak, who was previously CTO of Microsoft’s Cloud Security Group, called ChaosDB “the worst cloud vulnerability you can imagine.” The flaw left customers’ Cosmos DB databases exposed for the last two years.
If someone other than Wiz had found the same flaw between February 2021 and now and was able to find and enumerate a company’s Cosmos DB, there would have been far more risk.
However, the flaw was mitigated when Microsoft disabled the buggy Juptyer Notebook feature, according to Wiz.
Microsoft advises all Cosmos DB customers to regenerate their primary keys, a task that Microsoft cannot complete on their customers’ behalf.
The company also provided several other steps to secure Cosmos DB:
Cloud customers should be aware of the inherent risks involved with allowing a vendor to store customer data. Cloud services aren’t assigned CVEs, so flaws like ChaosDB get silently patched. A customer may or may not get notified about their exposure because it is up to the vendor to decide whether to perform secure auditing or pentesting.
Security experts, including those at Wiz, believe that there should be an industry initiative to develop a CVE repository for cloud services.
There is a massive gap in cloud security, by the way. No CVE numbers are issued for flaws, and suppliers aren’t required to disclose flaws. Cloud services aren’t magically secure.
You’ll notice public disclosure of this comes from an external researcher.
— Kevin Beaumont (@GossiTheDog) August 27, 2021
Organizations running cloud services should have monitoring capabilities in place to avoid exposure to flaws like ChaosDB. As Wiz notes in their latest update a number of the actions involved in this are not logged out without additional efforts, such as the last time a key was regenerated. However, there are a number of opportunities for monitoring to ensure your data is audited and properly secure.
IT and security teams should be able to monitor:
Blumira’s cloud-based security leverages threat intelligence and behavioral analytics to detect attacker attempts to log in to your systems, including geo-impossible logins and fraudulent login attempts that could indicate the theft of usernames and passwords.
Blumira easily integrates with AWS and Microsoft Azure to detect misconfigurations, suspicious logins and other behaviors to limit its security impact on your environment.