This is the full story of the Azure ChaosDB Vulnerability that was discovered and disclosed by the Wiz Research Team, where we were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers. In August 2021, we disclosed to Microsoft a new vulnerability in Cosmos DB that ultimately allowed us to retrieve numerous internal keys that can be used to manage the service, following this high-level workflow:
1. Set up a Jupyter Notebook container on your Azure Cosmos DB
2. Run any C# code to obtain root privileges
3. Remove firewall rules set locally on the container in order to gain unrestricted network access
4. Query WireServer to obtain information about installed extensions, certificates and their corresponding private keys
5. Connect to the local Service Fabric, list all running applications, and obtain the Primary Key to other customers’ databases
6. Access Service Fabric instances of multiple regions over the internet
In this post we walk you through every step of the way, to the point where we even gained administrative access to some of the magic that powers Azure.
We managed to gain unauthorized access to customers’ Azure Cosmos DB instances by taking advantage of a chain of misconfigurations in the Jupyter Notebook Container feature of Cosmos DB. We were able to prove access to thousands of companies’ Cosmos DB Instances (database, notebook environment, notebook storage) with full admin control via multiple authentication tokens and API keys. Among the affected customers are many Fortune 500 companies. We also managed to gain access to the underlying infrastructure that runs Cosmos DB and we were able to prove that this access can be maintained outside of the vulnerable application—over the internet. Overall, we think that this is as close as it gets to a “Service Takeover”.
August 09 2021 – Wiz Research Team first exploited the bug and gained unauthorized access to Cosmos DB accounts.
August 11 2021 – Wiz Research Team confirmed intersection with Wiz customers.
August 12 2021 – Wiz Research Team sent the advisory to Microsoft.
August 14 2021 – Wiz Research Team observed that the vulnerable feature has been disabled.
August 16 2021 – Microsoft Security Response Center (MSRC) confirmed the reported behavior (MSRC Case 66805).
August 16 2021 – Wiz Research Team observed that some obtained credentials have been revoked.
August 17 2021 – MSRC awarded $40,000 bounty for the report.
August 23 2021 – MSRC confirmed that several thousand customers were affected.
August 23 2021 – MSRC and Wiz Research Team discussed public disclosure strategy.
August 25 2021 – Public disclosure.
The blog post is well worth reading