Skip to main content

ChaosDB Azure Vulnerability

ChaosDB is a critical vulnerability in Microsoft's Azure Cosmos DB database service. An attacker could exploit it to gain read/write access to other users database information as well as the underlying Azure hosting infrastructure.

Threat ID:
CC-3936
Threat Severity:
Medium
Published:
2 September 2021 12:01 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

ChaosDB is a critical vulnerability in Microsoft's Azure Cosmos DB database service. An attacker could exploit it to gain read/write access to other users database information as well as the underlying Azure hosting infrastructure.

Affected platforms

The following platforms are known to be affected:

Microsoft Azure

Azure Cosmos DB

Threat details

Introduction

Security researchers have discovered a critical vulnerability - named ChaosDB - in Cosmos DB, Microsoft Azure's proprietary database service. They claim that an attacker could exploit it to gain access to any Cosmos DB instance, as well as the underlying API infrastructure.

Vulnerability details

ChaosDB appears to be the result of a feature integration Microsoft made in February 2021 when they added the Jupyter Notebook data visualisation application to all Cosmos DB instances. This application was initially misconfigured, allowing a user to escalate their privileges and gain access to any other Jupyter Notebook instances running on the same Cosmos DB public cloud.

Impact

By exploiting this misconfiguration, an attacker could obtain other users Cosmos DB primary keys and associated access tokens, at which point they would gain full administrative rights to the users Jupyter Notebook instances, the storage used by these instances, as well as the Cosmos DB instance they are hosted within.

No evidence of exploitation

At the time of publication, Microsoft has found no evidence of exploitation across the entire Cosmos DB Azure estate.

Remediation advice

Microsoft has recommended that all organisations using Cosmos DB regenerate their primary read-write keys using the following guidance. They have also recommended the following best practices for all Cosmos DB users:

  1. Use a combination of firewall rulesvNet, and Azure Private Link on accounts to prevent access from unexpected locations.
  2. Implement role-based access controls.
  3. Implement key rotations schedules.

Last edited: 2 September 2021 2:20 pm