About

Microsoft Azure Cosmos DB Vulnerable – Chaos DB Vulnerability

Israel based cloud-security group, Wiz, has found a critical vulnerability on the Cosmos database, hosted on the Microsoft Azure platform. The vulnerability is being called the ChaosDB vulnerability. The vulnerability allows a user to take full control over a Cosmos DB instance. Any user could potentially take full control over a database instance of other customers, without any authorization; and thus compromise the data and information of the client. Thousands of hosted Cosmos DB customers on Azure are likely to be impacted due to the hitherto unknown vulnerability. As per the Wiz security team, any Cosmos DB asset that had Jupyter Notebook enabled is potentially impacted.

Upon Microsoft’s request, the Wiz security team has not disclosed the full details of the vulnerability as yet. You may read the basic information about the ChaosDB vulnerability that has been shared by the Wiz group on their website. Wiz will bring out a detailed technical paper when the vulnerability fix has been applied by most customers on the Cosmos DB.

Statement by Microsoft on the Chaos DB vulnerability

Microsoft has been proactive in trying to bridge the security hole on the Cosmos DB. It has released the following statement to the affected clients, who use the Cosmos database on Azure:

“Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.

We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorized access. Out of an abundance of caution, we are notifying you to take the following actions as a precautionary measure.”

Action Taken by Microsoft

Microsoft was apprised of the vulnerability on 12th August, and within 48 hours, the Microsoft team disabled the vulnerable feature on the Cosmos DB. However, Wiz believes that this vulnerability has been in existence for long. And, most customers using the Cosmos DB on the Azure platform would have had some sort of exposure to the vulnerability. Whether somebody exploited this vulnerability for data access or data theft is unclear. It is therefore advisable for the affected companies and individuals to carry out a data audit and, if possible, a forensics audit of the data on the Cosmos DB. This would provide proof of any tampering of database records or potential data exposure to unwanted parties.

Microsoft has also advised the Cosmos DB customers on Azure to re-generate the primary keys to the database. While the number of affected clients or companies is yet unknown, it is clear that most Cosmos DB customers must re-generate the primary keys on the Cosmos DB on an emergency basis, without delay. For now, this is the only fix applicable on the Cosmos DB. Hopefully, we may have a full scale review of the vulnerability for a more permanent solution.

How do you re-generate the Cosmos DB primary key on Azure?

You can use Azure CLI to issue the following commands and re-generate the Cosmos DB primary key.

az cosmosdb regenerate-key --key-kind primary --name MyCosmosDBDatabaseAccount --resource-group MyResourceGroup

We just need to mention the key-kind as primary, and also provide the Cosmos database name for which we are re-generating the primary key. The resource group definition will also be provided in the command.