Azure Cosmos DB alert: This crucial vulnerability places customers in danger
In case you’re working NoSQL databases on Microsoft’s Azure cloud, chances are high you are working Cosmos DB. And, if that is you, you are in hassle. Even Microsoft had admitted that this newly found crucial vulnerability, ChaosDB, permits intruders to learn, change and even delete all of your databases.
In accordance with the Microsoft electronic mail describing the issue to affected prospects, “Microsoft has just lately develop into conscious of a vulnerability in Azure Cosmos DB that would doubtlessly permit a consumer to realize entry to a different buyer’s sources by utilizing the account’s main read-write key. This vulnerability was reported to us in confidence by an exterior safety researcher. As soon as we turned conscious of this challenge on 12 August 2021, we mitigated the vulnerability instantly.”
That is a great factor as a result of in line with the cloud safety agency, WIZ, which uncovered the ChaosDB safety gap, it “provides any Azure consumer full admin entry (learn, write, delete) to a different buyer’s Cosmos DB situations with out authorization. The vulnerability has a trivial exploit that does not require any earlier entry to the goal atmosphere and impacts hundreds of organizations, together with quite a few Fortune 500 firms.”
How trivial is the exploit? Very.
In accordance with WIZ, all an attacker must do is exploit an easy-to-follow chain of vulnerabilities in Cosmos DB’s Jupyter Pocket book. Jupyter Pocket book is an open-source internet utility that’s immediately built-in together with your Azure portal and Cosmos DB accounts. It lets you create and share paperwork that comprise stay code, equations, visualizations, and narrative textual content. If that appears like a variety of entry to offer to an online utility, you are proper, it’s.
As unhealthy as that’s, after you have entry to the Jupyter Pocket book, you may receive the goal Cosmos DB account credentials, together with the databases’ Major Key. Armed with these credentials, an attacker can view, modify, and delete knowledge within the goal Cosmos DB account in a number of methods.
To patch this gap, you should regenerate and rotate your main read-write Cosmos DB keys for every of the impacted Azure Cosmos DB accounts. That is simple sufficient. And, Microsoft claims, whereas this vulnerability is unhealthy information, you do not have to fret that a lot about it. Microsoft states:
We now have no indication that exterior entities exterior the researcher had entry to the first read-write key related together with your Azure Cosmos DB account(s). As well as, we’re not conscious of any knowledge entry due to this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by extra safety mechanisms that forestall [the] danger of unauthorized entry. Out of an abundance of warning, we’re notifying you to take the next actions as a precautionary measure.
WIZ is not so optimistic. Whereas agreeing that Microsoft’s safety took quick motion to repair the issue and disabled the susceptible characteristic inside 48 hours of being informed about ChaosDB, the researchers level out that “the vulnerability has been exploitable for months and each Cosmos DB buyer ought to assume they have been uncovered.”
I agree. It is higher to be secure than sorry when coping with a safety gap of this dimension and magnitude.