Microsoft closes vulnerability in Azure function that gave attackers database access
The Cosmos DB database service within Microsoft Azure had a vulnerability that allowed attackers to gain unrestricted access to the accounts and databases of thousands of Microsoft Azure customers. Microsoft has patched the leak and notified customers.
Wiz security researchers discovered that it was possible to find out Cosmos DB’s primary keys. These primary keys give people access to all data within a Cosmos DB database. These keys allow users to not only read data, but also modify and delete it.
The problem lay with Jupyter Notebook, a feature within Cosmos DB that allows customers to visualize their data. This feature was introduced in 2019 and was automatically enabled for all Cosmos DB customers last February. “A series of misconfigurations within this notebook function opened a new attack vector,” the researchers say.
Wiz isn’t releasing much detail about these misconfigurations yet, though the researchers do say the notebook container enabled privilege escalation to other customer notebooks. This privilege escalation allowed an attacker to access the primary keys of the customer’s Cosmos DB database.
The researchers notified Microsoft, who gave the researchers $40,000 and turned off the notebook function. According to Wiz, this feature is still disabled, pending a fix. Microsoft says in an email to customers, which has been seen by Reuters, that the problem has been solved and that there is no indication that it has been abused. Only the researchers at Wiz would have known about it, Microsoft claims.
Incidentally, Wiz believes that Microsoft has not informed enough customers. Microsoft has only notified customers whose keys were easy to see this month, according to the security researchers. The Azure creator also advises these customers to customize their keys. However, the Wiz researchers argue that the leak had been in Cosmos DB since February 2019 and that Microsoft should therefore inform many more customers. Wiz itself notified Microsoft of the security issue on August 12; two days later, the Jupyter Notebook feature is disabled.