CosmosDB Data Exposure (ChaosDB)

Overview CosmosDB

CosmosDB is Azure’s cloud-native NoSQL database.

Since February 2021, newly created databases have had a preview feature automatically enabled to let customers use Jupyter notebooks to make direct use of their data.

This feature had a security flaw that allowed privilege escalation into other customer notebooks.

Impact

In the months where this feature was live, an attacker could exploit a misconfiguration in the Jupyter feature to gain access to other customers’ credentials. This would allow them full permissions to read and write to the database.

Affected Products

According to the researchers who discovered the flaw:

“Every Cosmos DB account that uses the notebook feature or that was created after February 2021 is potentially exposed.”

Containment, Mitigations & Remediations

Microsoft has disabled the vulnerable Jupyter feature until it can be redesigned.

Notifications have gone out to affected users.

Threat Landscape

Microsoft says there is no evidence of this being exploited by anyone but the researchers but as a precaution, they are asking customers with the feature to regenerate their primary keys.

Mitre Methodologies

– T1190 – Exploit Public-Facing Application
– T1530 – Data from Cloud Storage Object

Further Information

ChaosDB: How we hacked thousands of Azure customers’ databases