Azure: Thousands of customers threatened by ChaosDB vulnerability in Azure Cosmos DB

[German]Heavy blow for users of the Microsoft Azure cloud if a Cosmos DB is involved (the DB stands for Data Breach, just no one has noticed yet). There was a severe vulnerability (now closed) that allowed attackers to take over the database. Microsoft must have started notifying affected Azure customers.


The vulnerability was discovered in August 2021 by security researchers at vendor Wiz. The following tweet addresses the problem – they refer to Cosmos as Chaos DB. On the Wiz blog, Nir Ohfeld and Sagi Tzadik describe how trivial it was for them to take over the database for many Azure customers.

Cosmos DB vulnerability

Cosmos DB for Azure cloud customers

Azure Cosmos DB was released in 2017 as a proprietary nonSQL database by Microsoft for its Azure customers. It is a globally distributed multi-model database service "for global big data management." Cosmos DB is schema-independent and horizontally scalable. Internally, Cosmos DB stores "elements" in "containers," according to Wikipedia.

Wiz writes that customers such as Coca-Cola, Exxon-Mobil and Citrix use Cosmos DB to manage massive amounts of data from around the world in near real-time. Cosmos DB is one of the easiest and most flexible ways for developers to store data and supports critical business functions such as processing millions of transactions or managing customer orders on e-commerce sites, the Wiz folks said.

Database primary key exfiltrated

Wiz's security research team is constantly looking for new attack surfaces in the cloud. In mid-August 2021, security researchers discovered a previously unknown vulnerability in Azure's database service, Cosmos DB. The researchers were able to gain unrestricted access to the accounts and databases of several thousand Microsoft Azure customers, including many Fortune 500 companies, via a master key.


In 2019, Microsoft added a feature called Jupyter Notebook to Cosmos DB, which was automatically enabled for all Cosmos DBs in February 2021. The feature allows customers to visualize their data and create custom views. A series of misconfigurations in the Notebook feature opened up a new attack vector for security researchers to exploit. In short, the notebook container allowed privilege escalation to other customer notebooks (security researchers plan to release technical details about the escalation soon).

Jupyter Notebook zu Cosmos DB
(Source: Wiz)

It looks like Wiz security researchers managed to gain access to Cosmos DB primary keys via this feature. An attacker could gain access to Cosmos DB's primary keys and other highly sensitive secrets such as the access token for notebook blob storage. These primary keys allow access to all databases set up with that key. This is effectively the administrator giving full access (read, write, delete) to the database. This creates a worst-case scenario, as an attacker who captures this key could read, manipulate or delete many Azure customers' databases worldwide. Speaking to Reuters, Wiz's Ami Luttwak said:

This is the worst cloud vulnerability you can imagine. It is a long-lasting secret. This is the central database of Azure, and we were able to get access to any customer database that we wanted.

The security researchers state that the vulnerability can be exploited in a trivial way without requiring prior access to the target environment. The vulnerability, which affects thousands of organizations, including many Fortune 500 companies, has been given the name ChaosDB.

A nightmare for Microsoft and it's customers

The security researchers, after capturing the Cosmos DB primary keys, were able to show that an attacker could use these keys to gain full administrative access to all data stored in the affected Cosmos DB accounts. The vulnerability was discovered on August 9, 2021, and reported to Microsoft on August 12, 2021.

48 hours after the notification to Microsoft, its security people had already disabled the vulnerable Jupyter Notebook feature. Microsoft states that affected Azure customers were notified about the incident. Microsoft also says there was no indication that outside entities outside the researcher (Wiz) had access to the primary read-write key.

Wiz's security researchers received a $40,000 reward for reporting the vulnerability. They state that the vulnerability existed since February 2021. The recommendation is that even customers who did not receive notification from Microsoft should replace this master key. This is because there would be a possibility that unauthorized third parties have already had access or are trying to gain access.

This is now a fat scratch on the high praise of cloud security, and fits in seamlessly with disasters like the Hafnium Exchange hack of spring 2021, because Microsoft could not provide vulnerabilities with security updates fast enough. Mistakes can happen all the time, but in the cloud, it quickly affects hundreds of thousands or millions of customers. What's also bothering me now: What are European customers who used Microsoft Azure with Cosmos DB doing? Theoretically, GDPR reports should now be send to the relevant data protection authorities about a potential data breach due this security flaw – through which people's personal data could have been leaked.

Addendum: Microsoft has already issued instructions for customers to secure Cosmos DB as of August 20, 2021. The colleagues at Bleeping Computer have written this article on the subject.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *