On Thursday, Microsoft informed several thousand customers of its Azure cloud service about a serious security vulnerability through which unauthorized persons could gain full access to the customers’ cloud databases. The vulnerability affects one of the main products of the cloud services, the multi-model database CosmosDB. Microsoft says it has closed the gap in the meantime, but affected customers should take action themselves to prevent unauthorized access. This reports Reuters.
Full access to customer databases
The IT security specialist Ami Luttwak from the company Wiz has according to the Reuters report the vulnerability was discovered on August 9 and reported to Microsoft three days later. Microsoft told Reuters that the company immediately fixed the problem “to keep our customers safe and secure”. We thank the security researchers for their work in the context of the coordinated disclosure of the vulnerability. Microsoft also emailed Wiz to announce that it would pay $ 40,000 to report the vulnerability.
Finally, on August 26th, Microsoft emailed several thousand of its cloud customers affected by the problem. In the news that Reuters has received, the company warns its customers that attackers have the opportunity to read, change and even delete all of the main databases. Luttwak succeeded in gaining access to primary keys with read-write authorization (primary read-write keys), which gave him full access to customer databases. Because Microsoft could not change these keys itself, the company asked its customers to take action and renew the keys. Although the security gap has already been closed, customers should finally prevent a possible compromise of the databases with this step. Microsoft wrote in the message that it had not found any evidence that third parties (with the exception of Wiz) had accessed the keys.
“Worst cloud vulnerability imaginable”
Luttwak told Reuters that this was the worst cloud vulnerability imaginable. CosmosDB is the central database of Azure and the Wiz team was able to access any desired customer database. There are also numerous large, global corporations among Azure customers. Luttwak, CTO at Wiz, was previously CTO at Microsoft’s Cloud Security Group.
In a blog post Luttwak describes his discovery of the vulnerability in detail, which he named “ChaosDB”. The actual security flaw is in Jupyter Notebook, a tool for data visualization that has been known for a long time, which Microsoft has integrated into CosmosDB and which was activated by default in February of this year.
Microsoft informs affected customers – but probably not all
Luttwak criticized Microsoft’s warnings to his customers in relation to Reuters: The company only wrote to customers whose vulnerable keys were visible in the same month in which Wiz discovered and investigated the problem. Because of the long duration in which the vulnerability was accessible, attackers were able to see keys from many more customers – and Microsoft did not inform these customers. When asked about this, Microsoft only told Reuters that possibly affected customers had been informed, but did not explain the statement any further.
Microsoft already had to struggle with weaknesses and gaps this year. In January it became known that attackers were able to penetrate Microsoft’s internal network through vulnerabilities at the service provider SolarWinds and view the source code. In addition, printer management under Windows has several critical vulnerabilities that administrators have to take action against.