Microsoft’s Azure had a vulnerability that left data exposed, potentially for the last two years. The issue stems from a flaw in Microsoft’s Azure Cosmos DB. The data of over 3,300 Azure customers could be accessed without restrictions by attackers that utilized the vulnerability.
Azure Cosmos DB is a database service for modern app development. Microsoft lists major customers of Azure Cosmos DB on its website, including Coca-Cola, Citrix, ExxonMobil, Liberty Mutual Insurance, and Albertsons-Safeway. Microsoft’s Skype also uses Azure Cosmos DB.
Wiz discovered the vulnerability (via The Verge). Its chief technology officer, Ami Luttwak, said, “This is the worst cloud vulnerability you can imagine. This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
Microsoft added a feature called Jupyter Notebook to Cosmos DB in 2019. The feature lets people visualize data and create custom views. It was automatically enabled for all Cosmos DBs in February 2021. Due to a series of misconfigurations, Wiz was able to exploit Jupyter Notebook to gain privileged access to the primary keys of customers’ Cosmos DBs. With the keys, Wiz gained full access to DBs with read, write, and delete permissions.
The issue was discovered two weeks ago, and Microsoft fixed it within 48 hours of Wiz reporting it. Because Microsoft can’t change the primary access keys of customers, it had to tell customers to manually change keys, which mitigates exposure from the vulnerability.
Microsoft informed the 30% of its Cosmos DB customers that were affected by Wiz’s research. Wiz believes that the vulnerability has been exploitable for at least several months, but that it could have been exploited for years.
While the security implications of the vulnerability are serious, Microsoft claims that there isn’t evidence that it’s been used by attackers to gain data. A statement from Microsoft to Bloomberg explains that “There is no evidence of this technique being exploited by malicious actors.” Microsoft adds that it is “not aware of any customer data being accessed because of this vulnerability.”
Wiz received $40,000 from Microsoft for discovering the vulnerability, according to Reuters.