Microsoft has admitted a security breach in its Azure Cosmos DB cloud system could affect many customers, which includes many Fortune 500 companies.
Cloud infrastructure security company Wiz revealed details of a now-fixed Azure Cosmos database vulnerability that could have been potentially exploited to grant any Azure user full admin access to other customers’ database instances without any authorisation.
Cosmos DB is Microsoft’s proprietary NoSQL database that’s advertised as “a fully managed service” that “takes database administration off your hands with automatic management, updates and patching.”
The Redmond-based giant paid $40,000 to Wiz after the group explained to them that they had been able to access any control keys they wanted, enabling hackers to read, edit or delete data, according to a report by RT.
The flaw grants read, write, and delete privileges, has been dubbed “ChaosDB,” with Wiz researchers noting that the vulnerability has a trivial exploit that doesn’t require any previous access to the target environment, and impacts thousands of organisations, including numerous Fortune 500 companies.
“We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s),” Microsoft said in a statement.
“In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorised access.”
Microsoft themselves can’t change the security keys, but urged customers to make the changes themselves. Microsoft has urged its customers to regenerate their Cosmos DB Primary Keys to mitigate any risk arising from the flaw.
Although Microsoft notified over 30 per cent of Cosmos DB customers about the potential security breach, Wiz expects the actual number to be much higher, given that the vulnerability has been exploitable for months.
“Every Cosmos DB customer should assume they’ve been exposed. We also recommend reviewing all past activity in your Cosmos DB account,” Wiz researchers noted.
