Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

End of Bibblio RCM includes -->
11/10/2021
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

ChaosDB: Researchers Share Technical Details of Azure Flaw

Wiz researchers who discovered a severe flaw in the Azure Cosmos DB database discussed the full extent of the vulnerability at Black Hat Europe.

BLACK HAT EUROPE 2021 — LONDON — Researchers who discovered a severe vulnerability in the Microsoft Azure Cosmos DB database solution today revealed the full extent of the flaws they found and previously undisclosed details of their investigation, which it turns out was far more extensive than first revealed.

In August 2021, the Wiz team revealed a critical vulnerability in the Azure cloud platform that would enable remote account takeover of the Cosmos DB database. Dubbed ChaosDB, this flaw gave any Azure user full admin access to other customers' Cosmos DB instances without authorization. Its impact spanned thousands of businesses, including many Fortune 500 firms.

More specifically, multiple flaws existed in Microsoft's implementation of Jupyter Notebook, an open source Web application commonly used for data science. A local privilege escalation flaw led to unrestricted network access, which allowed researchers to access a wide range of certificates and private keys that provided admin access to other users' Cosmos DB accounts.

To make things worse, Cosmos DB accounts previously came with Jupyter Notebook auto-enabled, which wasn't made clear to users. As a result, many customers were unknowingly exposed to this vulnerability.

Wiz reported the findings to Microsoft, which issued a fix within 48 hours and confirmed in a blog post that no customer data had been accessed using this vulnerability by third parties or security researchers. It also shut down the Jupyter Notebook feature, albeit temporarily.

But this wasn't the full story of Chaos DB, Wiz security researchers Sagi Tzadik and Nir Ohfeld said in their Black Hat talk today. The vulnerability did more than allow an unprivileged user to obtain complete, unrestricted access to databases of several thousand Azure customers.

By exploiting each misconfiguration in Cosmos DB, and chaining them together, the researchers were able to obtain many of Microsoft's internal Cosmos DB-related secrets and credentials. With these, they were able to authenticate as admin to more than 100 Cosmos DB-related management panels in the form of Service Fabric instances, or the container orchestration tool used to power Cosmos DB.

The finding is unprecedented, Ohfeld says in an interview with Dark Reading. "No other person outside of Microsoft gained this kind of administrative access to the magic that actually makes the cloud work." This was one of the reasons, Tzadik adds: that they held off on disclosing their full findings until now — to give the company sufficient time to mitigate the issue. Some of the information they could access was not only about Cosmos DB but about how Azure works.

"Besides taking over the account and manipulating data, we could also have damaged the Cosmos DB service due to the admin position we had from within it," the researchers explained in a blog post. "The impact of gaining access to the underlying Service Fabric instances means that this vulnerability was nearly impossible to defend against as a customer."

Going Down the Rabbit Hole
The team hadn't even been looking for vulnerabilities when their investigation began, Tzadik says in an interview with Dark Reading. Given the popularity of Cosmos DB, they were initially looking for common misconfigurations and reviewing the solution to spot errors.

While exploring its features, they discovered the embedded Juputer Notebook container, which offers terminal access and the option to interact with the Cosmos DB instance with different programming languages. When they used the Jupyter terminal, or the default Python3 Notebook, they noticed their code was executed as the unprivileged "cosmosuser." When they switched their Python code to C#, they saw the code was being executed with root privileges.

"When we saw the Jupyter Notebook feature, we couldn't resist," says Ohfeld. "As an attacker, when we see a place that lets us execute arbitrary code, we have to have a look."

After discovering the local privilege escalation vulnerability in Jupyter Notebook, they used their root privileges to look around the container to determine which network resources they could access. The researchers found a list of forbidden IP addresses, which they were able to delete as they were configured locally on the container, achieving unrestricted network access.

Their investigation continued from there as Ohfeld and Tzadik continued to explore the previously forbidden IP addresses, discovering access to WireServer, which manages aspects of virtual machines within Azure and the extensions of every Azure VM. They discuss the details in a separate in-depth technical writeup, also published today. Through attempting to uncover secrets and explore the Cosmos DB environment, they were ultimately able to access 25 Microsoft certificates and their corresponding private keys, which Tzadik points to as the moment they knew they were onto something big.

"We were like, OK, this is interesting, let's see what happens," he says.

While the team only used six of the certificates, the ones they used allowed them to obtain the plaintext Primary Key for any Cosmos DB instance running in their cluster, letting them query and manipulate customer databases without authorization. They were able to obtain the plaintext auth token for any Jupyter Notebook instance running in the cluster, as well as plaintext passwords for customers' notebook storage accounts. They could also access the underlying infrastructure of Cosmos DB by accessing internal Azure storage blobs.

"In less than a week of active research, and by using only six of the 25 secrets we obtained, we believe that we were able to nearly take over the entire service," the researchers wrote, noting they gained the same privileges as the internal Microsoft employees who worked on it.

There were many lessons learned here, especially with respect to isolation in the cloud, says Tzadik. "We assumed isolation in the cloud worked properly, and we learned that is not always the case."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-1883
PUBLISHED: 2022-05-25
SQL Injection in GitHub repository camptocamp/terraboard prior to 2.2.0.
CVE-2022-21951
PUBLISHED: 2022-05-25
A Missing Encryption of Sensitive Data vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects:...
CVE-2022-1815
PUBLISHED: 2022-05-25
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
CVE-2022-29405
PUBLISHED: 2022-05-25
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
CVE-2022-29349
PUBLISHED: 2022-05-25
kkFileView v4.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.