Microsoft's Azure cloud platform exposed the database keys of 3,300 customers, including Fortune 500 enterprises, that had used a data-science feature available on the platform since 2019, cloud security firm Wiz said this week.
The company discovered a privilege-escalation vulnerability in Microsoft's implementation of Jupyter Notebooks, a popular interactive Web application for data science. This flaw allowed its researchers to access the primary database keys of other organizations using Jupyter Notebooks in Azure. Coca-Cola, Kohler, Rolls-Royce, Siemens, and Symantec all had database keys exposed, researchers found.
Wiz notified Microsoft within three days of the discovery, and Microsoft shut down the Jupyter Notebook feature within 48 hours of notification on Aug. 14, says Shir Tamari, head of research at Wiz.
"Our researchers managed to find this vulnerability that allowed them to do lateral movement from our instance of Jupyter Notebooks to other customers' Jupyter Notebooks," he says. "And this was the key part in the vulnerability, because other customers' Jupyter Notebooks contain access keys for their databases in Azure."
Microsoft sent an advisory to customers whose databases were exposed by the research, even though the Wiz researchers attempted to minimize any access to other company's data, Tamari says.
While cloud service providers are generally considered more capable of securing their services than enterprises, vulnerabilities in these services can be so extensive that a single issue can affect thousands of companies. Despite better baseline security in the cloud, almost 60% of companies are more concerned with their security after moving to cloud-native infrastructure, a May survey found.
Wiz researchers presented vulnerabilities in Amazon Web Services and Google Cloud Platform earlier this month at the Black Hat security briefings, showing ways to compromise the isolation between different customers' cloud infrastructure in much they same way as they did with Azure. The company has also argued for a CVE system for cloud vulnerabilities as a way to facilitate information sharing.
The latest Azure issue underscores how a single vulnerability can affect a wide swath of customers, the company stated in a blog post.
"Nearly everything we do online these days runs through applications and databases in the cloud," the company said, adding: "Database exposures have become alarmingly common in recent years as more companies move to the cloud, and the culprit is usually a misconfiguration in the customer’s environment. In this case, customers were not at fault."
Details of the vulnerability are currently sparse, as Microsoft investigates the scope of the issue. In addition, Microsoft asked the Wiz researchers not to provide details of the vulnerability. However, the researchers did describe the impact of the vulnerability — that they could, from a Jupyter Notebook instance, list all other notebooks in their region. Wiz does not believe that other features connected to Azure have the vulnerability.
"This vulnerability was in the design and the architecture of Jupyter Notebooks within the Cosmos DB service," he says. "We checked other cases for the vulnerability pattern, but so far, we only saw it in this case."
Microsoft confirmed details of the Cosmos DB issue in a statement to affected customers, Wiz said.
"Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer's resources by using the account's primary read-write key," a copy of the Microsoft alert stated. "This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately."
On Aug. 12, Microsoft turned off Jupyter Notebooks, making them inaccessible to customers.
"Microsoft notified only customers that were affected during our short research period (around a week)," Wiz wrote in an advisory on the issue. "We think the actual number of potentially impacted customers is much larger and probably includes the majority of Cosmos DB customers, as the vulnerability has been present for months."
Microsoft posted information on how to secure access to Cosmos DBs in an advisory published last week. Wiz and Microsoft recommend that companies manually revoke their access keys and generate new ones.
While the danger of a breach appears low, Tamari highlights that his company's researchers have had access to the keys and, while it is a small risk since they deleted the keys, the information could potentially be stolen from the company and used against others.
"We, as Wiz, had access, and we did it with our working laptops," he says. "When I have a key for Azure customers, this is not a good situation for us or our company. ... So they [other companies] must rotate their keys."