Image courtesy: ZD Net
“Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that may possibly allow a user to obtain access to another customer’s resources by exploiting the account’s main read-write key,” according to the Microsoft email to affected customers. An external security researcher informed us of this issue in confidence. We promptly addressed the vulnerability after becoming aware of it on August 12, 2021.”
That’s a good thing, because the ChaosDB security flaw “grants any Azure user complete admin access (read, write, delete) to another customer’s Cosmos DB instances without authentication.”
The vulnerability offers a simple attack that requires no prior knowledge of the target environment and affects thousands of businesses, including several Fortune 500 corporations.” According to WIZ, an attacker just needs to exploit a simple chain of vulnerabilities in Cosmos DB’s Jupyter Notebook. Jupyter Notebook is a free and open-source online application that works with your Azure portal and Cosmos DB accounts. It lets you create and share documents with live code, mathematics, graphics, and narrative prose. If you think that’s a lot of access to grant to a web application, you’re correct.
Even worse, if you have access to the Jupyter Notebook, you may acquire the target Cosmos DB account credentials, including the databases’ Primary Key. An attacker using these credentials can read, change, and remove data in the target Cosmos DB account in a variety of ways.
To resolve this vulnerability, you must regenerate and rotate the main read-write Cosmos DB keys for each of the vulnerable Azure Cosmos DB accounts. That’s simple enough. And, according to Microsoft, while this vulnerability is terrible news, you shouldn’t be too concerned about it.