Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
04:45 PM
Connect Directly

ChaosDB: Researchers Share Technical Details of Azure Flaw

Wiz researchers who discovered a severe flaw in the Azure Cosmos DB database discussed the full extent of the vulnerability at Black Hat Europe.

BLACK HAT EUROPE 2021 — LONDON — Researchers who discovered a severe vulnerability in the Microsoft Azure Cosmos DB database solution today revealed the full extent of the flaws they found and previously undisclosed details of their investigation, which it turns out was far more extensive than first revealed.

In August 2021, the Wiz team revealed a critical vulnerability in the Azure cloud platform that would enable remote account takeover of the Cosmos DB database. Dubbed ChaosDB, this flaw gave any Azure user full admin access to other customers' Cosmos DB instances without authorization. Its impact spanned thousands of businesses, including many Fortune 500 firms.

More specifically, multiple flaws existed in Microsoft's implementation of Jupyter Notebook, an open source Web application commonly used for data science. A local privilege escalation flaw led to unrestricted network access, which allowed researchers to access a wide range of certificates and private keys that provided admin access to other users' Cosmos DB accounts.

To make things worse, Cosmos DB accounts previously came with Jupyter Notebook auto-enabled, which wasn't made clear to users. As a result, many customers were unknowingly exposed to this vulnerability.

Wiz reported the findings to Microsoft, which issued a fix within 48 hours and confirmed in a blog post that no customer data had been accessed using this vulnerability by third parties or security researchers. It also shut down the Jupyter Notebook feature, albeit temporarily.

But this wasn't the full story of Chaos DB, Wiz security researchers Sagi Tzadik and Nir Ohfeld said in their Black Hat talk today. The vulnerability did more than allow an unprivileged user to obtain complete, unrestricted access to databases of several thousand Azure customers.

By exploiting each misconfiguration in Cosmos DB, and chaining them together, the researchers were able to obtain many of Microsoft's internal Cosmos DB-related secrets and credentials. With these, they were able to authenticate as admin to more than 100 Cosmos DB-related management panels in the form of Service Fabric instances, or the container orchestration tool used to power Cosmos DB.

The finding is unprecedented, Ohfeld says in an interview with Dark Reading. "No other person outside of Microsoft gained this kind of administrative access to the magic that actually makes the cloud work." This was one of the reasons, Tzadik adds: that they held off on disclosing their full findings until now — to give the company sufficient time to mitigate the issue. Some of the information they could access was not only about Cosmos DB but about how Azure works.

"Besides taking over the account and manipulating data, we could also have damaged the Cosmos DB service due to the admin position we had from within it," the researchers explained in a blog post. "The impact of gaining access to the underlying Service Fabric instances means that this vulnerability was nearly impossible to defend against as a customer."

Going Down the Rabbit Hole
The team hadn't even been looking for vulnerabilities when their investigation began, Tzadik says in an interview with Dark Reading. Given the popularity of Cosmos DB, they were initially looking for common misconfigurations and reviewing the solution to spot errors.

While exploring its features, they discovered the embedded Juputer Notebook container, which offers terminal access and the option to interact with the Cosmos DB instance with different programming languages. When they used the Jupyter terminal, or the default Python3 Notebook, they noticed their code was executed as the unprivileged "cosmosuser." When they switched their Python code to C#, they saw the code was being executed with root privileges.

"When we saw the Jupyter Notebook feature, we couldn't resist," says Ohfeld. "As an attacker, when we see a place that lets us execute arbitrary code, we have to have a look."

After discovering the local privilege escalation vulnerability in Jupyter Notebook, they used their root privileges to look around the container to determine which network resources they could access. The researchers found a list of forbidden IP addresses, which they were able to delete as they were configured locally on the container, achieving unrestricted network access.

Their investigation continued from there as Ohfeld and Tzadik continued to explore the previously forbidden IP addresses, discovering access to WireServer, which manages aspects of virtual machines within Azure and the extensions of every Azure VM. They discuss the details in a separate in-depth technical writeup, also published today. Through attempting to uncover secrets and explore the Cosmos DB environment, they were ultimately able to access 25 Microsoft certificates and their corresponding private keys, which Tzadik points to as the moment they knew they were onto something big.

"We were like, OK, this is interesting, let's see what happens," he says.

While the team only used six of the certificates, the ones they used allowed them to obtain the plaintext Primary Key for any Cosmos DB instance running in their cluster, letting them query and manipulate customer databases without authorization. They were able to obtain the plaintext auth token for any Jupyter Notebook instance running in the cluster, as well as plaintext passwords for customers' notebook storage accounts. They could also access the underlying infrastructure of Cosmos DB by accessing internal Azure storage blobs.

"In less than a week of active research, and by using only six of the 25 secrets we obtained, we believe that we were able to nearly take over the entire service," the researchers wrote, noting they gained the same privileges as the internal Microsoft employees who worked on it.

There were many lessons learned here, especially with respect to isolation in the cloud, says Tzadik. "We assumed isolation in the cloud worked properly, and we learned that is not always the case."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-04
A vulnerability classified as problematic was found in NREL api-umbrella-web 0.7.1. This vulnerability affects unknown code of the component Flash Message Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.8.0 is able to address this...
PUBLISHED: 2023-02-04
A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. Upgrading to version 1.2.3...
PUBLISHED: 2023-02-04
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.
PUBLISHED: 2023-02-04
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage.
PUBLISHED: 2023-02-04
A vulnerability was found in fanzila WebFinance 0.5. It has been classified as critical. Affected is an unknown function of the file htdocs/admin/save_roles.php. The manipulation of the argument id leads to sql injection. The name of the patch is 6cfeb2f6b35c1b3a7320add07cd0493e4f752af3. It is recom...