Microsoft has revealed that thousands of Azure Cosmos DB database users may need to update their security protections after a serious vulnerability is discovered.
Cosmos DB is Microsoft’s database service that runs on its Azure cloud computing platform and is used by various Fortune 500 companies around the world.
Cyber security researchers at cloud infrastructure security company Wiz have discovered a series of flaws in one of the database service’s functionality, which could be exploited by malicious actors to gain full control over a database. data, which means they could read or even delete data.
TechRadar needs you!
We take a look at how our readers are using VPNs with streaming sites like Netflix so that we can improve our content and offer better advice. This survey will take no more than 60 seconds of your time, and we would greatly appreciate your sharing your experiences with us.
>> Click here to launch the survey in a new window
“Any RSSI’s nightmare is someone getting their access keys and exfiltrating gigabytes of data all at once. So you can imagine our surprise when we were able to gain full and unlimited access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies, ”Wiz’s Nir Ohfeld and Sagi Tzadik wrote in a commentary. common blog post.
Security researchers note that exploiting the vulnerability, which they named ChaosDB, was “trivial.”
The vulnerability exists in the Jupyter Notebook feature which helps users visualize their data. It was introduced in 2019 and was automatically activated for all Cosmos DB databases in February 2021.
Without giving too much detail, the researchers note that Jupyter’s implementation gave attackers access to the database’s primary keys and other very sensitive secrets such as its blob storage access token.
By tapping into these detail keys, researchers were able to access and exercise complete read / write / delete control over the database from the Internet.
After being informed by the researchers, Microsoft quickly disabled the vulnerable notebook feature to prevent leaks of secrets. The company also requires a portion of its users to rotate their keys to ensure that any keys that have already been exfiltrated by unauthorized users are rendered useless.
According to., Microsoft’s email pointed out that the company had not found any evidence to suggest that the flaw had been exploited.