CISA urges enterprises to fix Microsoft Azure Cosmos DB flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging enterprises to address the recently disclosed vulnerability in Microsoft Azure Cosmos DB.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging organizations to address the recently disclosed vulnerability in Microsoft Azure Cosmos DB (aka ChaosDB) as soon as possible.

Last week, researchers from Cloud security company Wiz disclosed technical details of a now-fixed Azure Cosmos database vulnerability, dubbed ChaosDB, that could have been potentially exploited by attackers to gain full admin access to other customers’ database instances without any authorization. The flaw was trivial to exploit and impacts thousands of organizations worldwide.

“#ChaosDB is an unprecedented critical vulnerability in the Azure cloud platform that allows for remote account takeover of Azure’s flagship database – Cosmos DB. The vulnerability, which was disclosed to Microsoft in August 2021 by Wiz Research Team, gives any Azure user full admin access (read, write, delete) to another customers Cosmos DB instances without authorization.” reads the post published by the security firm,

Azure Cosmos Darabase is Microsoft’s globally-distributed multi-model database service.

Wiz experts identified an exploit that leverages a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB that enables an attacker to obtain the credentials corresponding to the target Cosmos DB account, including the Primary Key. These credentials allow users to view, modify, and delete data in the target Cosmos DB account via multiple channels.

Microsoft acknowledged the issue and said that it is not aware of attacks exploiting the vulnerability to access customer data.

“This vulnerability only affects a subset of customers who had the Jupyter Notebook feature enabled. Notifications have been sent to all customers that could be potentially affected due to researcher activity, advising they regenerate their primary read-write key. Other keys including the secondary read-write key, primary read-only key, and secondary read-only key were not vulnerable.” reads the post published by Microsoft which also includes instructions on how to regenerate the user’s primary read-write key. If you did not receive an email or in-portal notification, there is no evidence any other external parties had access to your primary read-write account key.  If you have diagnostic logs enabled, you can also review the logs for unusual IP addresses.  Our suggestion is to enable Diagnostic Logging and Azure Defender where available and periodically rotate your keys.”

Now CISA urges Azure Cosmos DB customers to regenerate their certificate keys and to review Microsoft’s guidance on how to Secure access to data in

“CISA is aware of a misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data. Although the misconfiguration appears to have been fixed within the Azure cloud, CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate keys and to review Microsoft’s guidance on how to Secure access to data in Azure Cosmos DB.” reads the advisory published by CISA.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cosmos DB)

[adrotate banner=”5″]

[adrotate banner=”13″]