On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook instance, referred to as ChaosDB, that allows a user to gain access to another user’s data.
Azure Cosmos DB is Microsoft’s proprietary service that is used for modern app development. Azure Cosmos DB that has built-in Jupyter Notebooks enables users to analyze and visualize their data from the Azure portal.
An exploit chain has been detected in Jupyter Notebooks Cosmos DB that could compromise primary read-write keys, allowing attackers to exploit users’ data.
Organisations are advised to regenerate keys as a mitigatory measure.
Azure Cosmos DB has a built-in Jupyter Notebook that has been impacted by a vulnerability, dubbed ChaosDB. A chain of this exposed vulnerability in Jupyter Notebook could potentially allow an attacker to query information, leading to credential retrieval from Cosmos DB accounts, Jupyter Notebook computer, and Jupyter Notebook storage accounts, including the primary read-write keys. This gives unauthorized access to attackers to view, modify, and delete data in victim Cosmos DB accounts. Regardless of the network access, the primary key for the Cosmos DB could be compromised. However, the data in these accounts can only be compromised if the attacker gains remote access to the DB instance.
To counter the impact, Microsoft has released an official guide to regenerate primary Cosmos DB, the details of which have been shared in the Impact & Mitigation section of the advisory.
Regardless of the services running on an Azure infrastructure, Jupyter-enabled Cosmos DB instances are vulnerable to malicious attacks.
Cloud-related vulnerabilities are not usually assigned with CVE IDs, and hence the ChaosDB vulnerability has no specific CVE ID. Microsoft recommends organizations to regenerate the primary read-write key of their Cosmos DB accounts by following the key generation guide mentioned in the Impact & Mitigation section of this advisory.
Even though Microsoft has disabled the vulnerable feature, it has recommended all Cosmos DB users to assume that they have been inflicted with this attack.
Listed below is the timeline of events leading up to the disclosure of the vulnerability:
August 09 2021 – Wiz Research Team first exploited the bug and gained unauthorized access to Cosmos DB accounts.
August 12 2021 – Wiz Research Team sent the advisory to Microsoft.
August 14 2021 – Wiz Research Team observed that the vulnerable feature has been disabled.
August 16 2021 – MSRC confirmed the reported behavior (MSRC Case 66805).
August 16 2021 – Wiz Research Team observed that some of the credentials obtained have been revoked.
August 17 2021 – MSRC awarded USD 40,000 bounty for the report.
August 23 2021 – MSRC confirms that several thousand customers have been impacted.
August 26 2021 – Public disclosure.
According to the official statement published by Microsoft, no customer data was accessed via the vulnerability. However, CloudSEK Threat Intelligence came across an advertisement published by a threat actor on a cyber crime forum, selling 21 million Microsoft user data.\
Here’s a quick service reference for SOC teams to monitor the Cosmos DB network traffic.
The port 10250 maps to a default Azure Cosmos DB API for MongoDB instances without geo-replication. Whereas the ports 10255 and 10256 map to the instance that has geo-replication.
When using public/service endpoints: ports in the 10000 through 20000 range
When using private endpoints: ports in the 0 through 65535 range
In a recent update, a similar bug was detected in Microsoft’s Azure Container instances services which according to Microsoft has been fixed. The technical details of the flaw were withheld, and an advisory warning users to revoke any privileged credentials that were deployed to the platform before August 31, 2021, was published. It also mentions that rotating privileged credentials would be “an effective precautionary measure” indicating an authentication issue.
Impact & Mitigation
Cosmos DB account may be targeted for information gathering.
Credential key retrieval may lead to unauthorized account takeover.
Unauthorized modification and data exfiltration lead to the loss of data integrity and confidentiality.
Microsoft has requested organisations to regenerate primary keys for the respective Cosmos DB accounts.
Link to the official guide is as given below: https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#primary-keys