Vulnerability in Microsoft Azure Cosmos DB may have exposed customer data to hackers
Microsoft Corp. has warned cloud customers that hackers may have potentially accessed their data via an exploitable vulnerability in its Azure cloud service.
Reuters first reported the news today, but the discovery of the vulnerability came from researchers at Wiz Inc. The vulnerability is in Microsoft Azure’s Cosmos DB product and isn’t that hard to access.
The Wiz researchers discovered they could get access to keys that control access to thousands of companies. With those keys, they then had unfiltered access. Some of the customers include Coca-Cola Co., Exxon-Mobil Corp. and Citrix Systems Inc., among others.
“Database exposures have become alarmingly common in recent years as more companies move to the cloud and the culprit is usually a misconfiguration in the customer’s environment,” the Wiz researchers noted. “In this case, customers were not at fault.”
The issue lies with Microsoft and a series of flaws in an Azure Cosmos DB feature that creates a loophole, allowing any user to own, delete or manipulate commercial databases. In addition, the flaws also provide read/write access to the underlying architecture of Cosmos DB.
The Wiz researchers have dubbed the vulnerability as #ChaosDB. They add that “exploiting it was trivial and required no other credentials.”
Microsoft cannot change customer keys by itself, with Reuters noting that the company emailed customers today telling them to create new keys. “We fixed this issue immediately to keep our customers safe and protected,” a Microsoft spokesperson said in a statement. “We thank the security researchers for working under coordinated vulnerability disclosure.”
That thanks included a payment to Wiz of $40,000 for finding the vulnerability and reporting it.
Vulnerabilities often appear to be a dime a dozen nearly every single day. This Cosmos DB vulnerability, however, is severe.
“This is the worst cloud vulnerability you can imagine,” Wiz Chief Technology Officer Ami Luttwak told Reuters. “It is a long-lasting secret. This is the central database of Azure and we were able to get access to any customer database that we wanted.”
Noting that Microsoft has emailed some customers, the researchers at Wiz added that “we believe many more Cosmos DB customers may be at risk.” The vulnerability is said to have been exploitable for at least several months or possibly years.
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.