Executive Summary

• On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook instance, referred to as ChaosDB, that allows a user to gain access to another user’s data.
• Azure Cosmos DB is Microsoft's proprietary service that is used for modern app development. Azure Cosmos DB that has built-in Jupyter Notebooks enables users to analyze and visualize their data from the Azure portal.
• An exploit chain has been detected in Jupyter Notebooks Cosmos DB that could compromise primary read-write keys, allowing attackers to exploit users’ data.
• Organisations are advised to regenerate keys as a mitigatory measure.

Analysis

Azure Cosmos DB has a built-in Jupyter Notebook that has been impacted by a vulnerability, dubbed ChaosDB. A chain of this exposed vulnerability in Jupyter Notebook could potentially allow an attacker to query information, leading to credential retrieval from Cosmos DB accounts, Jupyter Notebook computer, and Jupyter Notebook storage accounts, including the primary read-write keys. This gives unauthorized access to attackers to view, modify, and delete data in victim Cosmos DB accounts. Regardless of the network access, the primary key for the Cosmos DB could be compromised. However, the data in these accounts can only be compromised if the attacker gains remote access to the DB instance.

To counter the impact, Microsoft has released an official guide to regenerate primary Cosmos DB, the details of which have been shared in the Impact & Mitigation section of the advisory.

Key Points

• Regardless of the services running on an Azure infrastructure, Jupyter-enabled Cosmos DB instances are vulnerable to malicious attacks.
• Cloud-related vulnerabilities are not usually assigned with CVE IDs, and hence the ChaosDB vulnerability has no specific CVE ID. Microsoft recommends organizations to regenerate the primary read-write key of their Cosmos DB accounts by following the key generation guide mentioned in the Impact & Mitigation section of this advisory.
• Even though Microsoft has disabled the vulnerable feature, it has recommended all Cosmos DB users to assume that they have been inflicted with this attack.

• August 09 2021 - Wiz Research Team first exploited the bug and gained unauthorized access to Cosmos DB accounts.
• August 12 2021 - Wiz Research Team sent the advisory to Microsoft.
• August 14 2021 - Wiz Research Team observed that the vulnerable feature has been disabled.
• August 16 2021 - MSRC confirmed the reported behavior (MSRC Case 66805).
• August 16 2021 - Wiz Research Team observed that some of the credentials obtained have been revoked.
• August 17 2021 - MSRC awarded USD 40,000 bounty for the report.
• August 23 2021 - MSRC confirms that several thousand customers have been impacted.
• August 26 2021 - Public disclosure.

• According to the official statement published by Microsoft, no customer data was accessed via the vulnerability. However, CloudSEK Threat Intelligence came across an advertisement published by a threat actor on a cyber crime forum, selling 21 million Microsoft user data.\

• Here’s a quick service reference for SOC teams to monitor the Cosmos DB network traffic.

Impact & Mitigation

Reference