ChaosDB: Researchers share technical details of Azure flaw

BLACK HAT EUROPE 2021 — LONDON — Researchers who discovered a severe vulnerability in the Microsoft Azure Cosmos DB database solution today revealed the full extent of the flaws they found and previously undisclosed details of their investigation, which it turns out was far more extensive than first revealed.

In August 2021, the Wiz team revealed a critical vulnerability in the Azure cloud platform that would enable remote account takeover of the Cosmos DB database. Dubbed ChaosDB, this flaw gave any Azure user full admin access to other customers’ Cosmos DB instances without authorization. Its impact spanned thousands of businesses, including many Fortune 500 firms.

More specifically, multiple flaws existed in Microsoft’s implementation of Jupyter Notebook, an open source Web application commonly used for data science. A local privilege escalation flaw led to unrestricted network access, which allowed researchers to access a wide range of certificates and private keys that provided admin access to other users’ Cosmos DB accounts.

To make things worse, Cosmos DB accounts previously came with Jupyter Notebook auto-enabled, which wasn’t made clear to users. As a result, many customers were unknowingly exposed to this vulnerability.

Wiz reported the findings to Microsoft, which issued a fix within 48 hours and confirmed in a blog post that no customer data had been accessed using this vulnerability by third parties or security researchers. It also shut down the Jupyter Notebook feature, albeit temporarily.

But this wasn’t the full story of Chaos DB, Wiz security researchers Sagi Tzadik and Nir Ohfeld said in their Black Hat talk today. The vulnerability did more than allow an unprivileged user to obtain complete, unrestricted access to databases of several thousand Azure customers.

By exploiting each misconfiguration in Cosmos DB, and chaining them together, the researchers were able to obtain many of Microsoft’s internal Cosmos DB-related secrets and credentials. With these, they were able to authenticate as admin to more than 100 Cosmos DB-related management panels in the form of Service Fabric instances, or the container orchestration tool used to power Cosmos DB.

The finding is unprecedented, Ohfeld says in an interview with Dark Reading. “No other person outside of Microsoft gained this kind of administrative access to the magic that actually makes the cloud work.” This was one of the reasons, Tzadik adds, that they held off on disclosing their full findings until now — to give the company sufficient time to mitigate the issue. Some of the information they could access was not only about Cosmos DB but about how Azure works.

To read the complete article, visit Dark Reading.