[BreachExchange] Vulnerability in Microsoft Azure Cosmos DB may have exposed customer data to hackers
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Fri Aug 27 08:41:04 EDT 2021
https://siliconangle.com/2021/08/26/vulnerability-microsoft-azure-cosmos-db-may-exposed-customer-data-hackers/
Microsoft Corp. has warned cloud customers that hackers may have
potentially accessed their data via an exploitable vulnerability in its
Azure cloud service.
Reuters first reported the news today, but the discovery of the
vulnerability came from researchers at Wiz Inc. The vulnerability is in
Microsoft Azure’s Cosmos DB product and isn’t that hard to access.
The Wiz researchers discovered they could get access to keys that control
access to thousands of companies. With those keys, they then had unfiltered
access. Some of the customers include Coca-Cola Co., Exxon-Mobil Corp. and
Citrix Systems Inc., among others.
“Database exposures have become alarmingly common in recent years as more
companies move to the cloud and the culprit is usually a misconfiguration
in the customer’s environment,” the Wiz researchers noted. “In this case,
customers were not at fault.”
The issue lies with Microsoft and a series of flaws in an Azure Cosmos DB
feature that creates a loophole, allowing any user to own, delete or
manipulate commercial databases. In addition, the flaws also provide
read/write access to the underlying architecture of Cosmos DB.
The Wiz researchers have dubbed the vulnerability as #ChaosDB. They add
that “exploiting it was trivial and required no other credentials.”
Microsoft cannot change customer keys by itself, with Reuters noting that
the company emailed customers today telling them to create new keys. “We
fixed this issue immediately to keep our customers safe and protected,” a
Microsoft spokesperson said in a statement. “We thank the security
researchers for working under coordinated vulnerability disclosure.”
That thanks included a payment to Wiz of $40,000 for finding the
vulnerability and reporting it.
Vulnerabilities often appear to be a dime a dozen nearly every single day.
This Cosmos DB vulnerability, however, is severe.
“This is the worst cloud vulnerability you can imagine,” Wiz Chief
Technology Officer Ami Luttwak told Reuters. “It is a long-lasting secret.
This is the central database of Azure and we were able to get access to any
customer database that we wanted.”
Noting that Microsoft has emailed some customers, the researchers at Wiz
added that “we believe many more Cosmos DB customers may be at risk.” The
vulnerability is said to have been exploitable for at least several months
or possibly years.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210827/bcc32037/attachment.html>
More information about the BreachExchange
mailing list