Microsoft has revealed another huge security vulnerability, with the software giant forced to notify thousands of Azure customers that their data had been freely accessible. The exploit left the databases of multiple big-name companies open to unauthorized read/write access, in what’s being referred to as the “ChaosDB” vulnerability.
The news comes after a series of embarrassing and significant Windows exploits which left Microsoft playing whack-a-mole with a number of patches. Those vulnerabilities took advantage of issues in the Windows Print Server system, and dated back multiple versions of the OS.
This time around, though, it’s the Cosmos DB database service of Microsoft Azure that’s suffering the issue. According to research firm Wiz, “a series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.”
The team there blames a series of misconfigurations in Cosmos DB for leaving the way open for hackers to gain access. First, Microsoft enabled a new visualization tool in Cosmos DB back in 2019, and then switched it on by default in February of this year. However in the process it also allowed attackers looking for Cosmos DB primary keys to grab them, among other things.
With those keys, Wiz was able to secure long-term access to the assets and data that companies – some familiar from the Fortune 500 – were storing in Azure. That included full read, write, and delete permissions.
Wiz notified Microsoft, which disabled the vulnerability within 48 hours. The company will be redesigning it, and the visualization option is currently switched off.
“However, customers may still be impacted since their primary access keys were potentially exposed,” Nir Ohfeld and Sagi Tzadik of Wiz suggest. “These are long-lived secrets and in the event of a breach, an attacker could use the key to exfiltrate databases. Today Microsoft notified over 30% of Cosmos DB customers that they need to manually rotate their access keys to mitigate this exposure.”
Even that may not be the full roster of those affected, and Wiz is recommending that all Cosmos DB account holders follow Microsoft’s guide to regenerate and rotate the keys for their account. It’s unclear which companies Microsoft notified, though customers of Cosmos DB include brands like Coca-Cola, Quest, Symantec, Citrix, and Exxon-Mobil, among many others.
In a statement to Bloomberg, Microsoft insisted that no it has no evidence of data being exploited through the vulnerability.