Posted on 9/2/2021
In the past few days, a vulnerability became known which was described as "the worst cloud vulnerability you can imagine" in Azure's CosmosDB.
The vulnerability reported by Wiz exposed thousands of Azure customers for the last two years.
What happened and what does this mean for Azure Customers?
The vulnerability uncovered by the Wiz research team affects Cosmos DB. Microsoft's fully managed NoSQL database service. A series of flaws in a Cosmos DB feature opened a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as having access to read and write the underlying architecture of CosmosDB. The vulnerability doesn't require any other credentials and it is quite trivial.
In 2019, Microsoft added the Jupyter Notebook feature to CosmosDB. This feature lets you analyze and visualize data stored in CosmosDB. The feature was automatically turned on by default starting from February 2021.
A series of misconfigurations in this feature opened up an attack vector, allowing this exploit. In short, the notebook container allowed for a privilege escalation into other customer notebook containers. An attacker could gain access to the customer CosmosDB primary key and other sensitive secrets.
Afterward, the attacker has full admin access using the primary key.
Microsoft Security Team took immediate action and addressed the issue. Within 48 hours after the report, the vulnerable notebook feature was disabled. However, you may still be impacted as the primary key might have been extracted before. The primary key is a long-lived secret that is not rotated regularly by default. So even after Microsoft disabled this feature, if an attacker got knowledge of your key they are still able to access your database. This may also affect Cosmos DB accounts even if you restricted traffic to Azure Services only.
You should regenerate your Primary Key of all affected Cosmos DBs.