Azure Cosmos DB, a type of global, distributed NoSQL database developed by Microsoft, contained a significant security flaw, reports Wiz, an Israeli company specializing in public cloud vulnerability discovery, in a blog post on the 26th. August 2021.
The problem was immediately corrected, promises Microsoft, which sent an email to warn its customers that the flaw did not seem to have been exploited. The US company paid Wiz $ 40,000 (approximately $ 34,000) for discovering and reporting the flaw.
Asos, coca cola, siemens, symantec …
This vulnerability, dubbed “Chaos DB”, was discovered two weeks ago but Wiz, whose technical team is led by a former Microsoft security official, claims that it has been hiding in the system for “at least several months or even years “. It could have allowed cybercriminals to steal data from “several thousand” companies using Cosmos DB, such as Coca-Cola, Asos, Siemens Healthineers, Symantec, Bentley, Skype, Exon Mobil, Finastra …
In detail, it was a misconfiguration of the open source “Jupyter Notebook” feature, added in Cosmos DB by Microsoft in 2019, that was concerned. Jupyter Notebooks are kind of computer notebooks that allow developers to share code and run it in the same user interface.
The security breach offered many possibilities to malicious actors, who could easily access the primary keys of Cosmos DB users. These grant read, write and delete permissions on the entire database to which the key is attached.
30% of customers alerted
Microsoft therefore invited 30% of Cosmos DB users, or 3000 customers, to change their keys which, importantly, do not have an expiration date. These are customers who activated the Jupyter Notebook feature in the week that Wiz discovered the security breach. This is not enough, according to the Israeli company, because “every Cosmos DB account which uses the function of Jupyter Notebook, or which was created after January 2021, is potentially at risk”.
Indeed, from February, this feature was enabled by default for each newly created Cosmos DB account. So the primary key could have been exposed even if the client was unaware and never used the feature.
This new security incident comes a few months after the Microsoft Exchange affair. A group of hackers, called Hafnium, targeted this messaging software used by many organizations and businesses around the world. This cyberattack, for example, affected the European Banking Agency (EBA), in charge of financial stability within the European Union.