www.bleepingcomputer.com
Open in
urlscan Pro
104.20.59.209
Public Scan
URL:
https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-azure-customers-of-critical-cosmos-db-vulnerability/
Submission: On August 28 via api from US
Submission: On August 28 via api from US
Form analysis 6 forms found in the DOM
https://www.bleepingcomputer.com/search/
<form title="Search site" action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>https://www.bleepingcomputer.com/search/
<form action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" name="EMAIL" aria-label="Enter email address" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" aria-label="Enter email address" name="EMAIL" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&do=process&return=https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-azure-customers-of-critical-cosmos-db-vulnerability/
<form
action="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-azure-customers-of-critical-cosmos-db-vulnerability/"
method="post">
<div class="bc_form_feild">
<label for="ips_username">Username</label>
<input aria-label="Enter login name" title="Enter login name" type="text" id="ips_username" name="ips_username" autocomplete="username">
</div>
<div class="bc_form_feild">
<label for="ips_password">Password</label>
<input aria-label="Enter login password" title="Enter login passwod" type="password" id="ips_password" name="ips_password" autocomplete="current-password">
</div>
<div class="bc_form_feild">
<div class="bc_remember">
<input id="remember" type="checkbox" name="rememberMe" value="1" checked="checked">
<label for="remember">Remember Me</label>
</div>
<div class="bc_anon">
<input id="anonymous" type="checkbox" name="anonymous" value="1">
<label for="anonymous">Sign in anonymously</label>
</div>
</div>
<div class="bc_btn_wrap">
<input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
<input type="submit" aria-label="Login to site" title="Login" value="Login" class="bc_sub_btn">
<a aria-label="Sign in with Twitter" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&serviceClick=twitter&return=https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-azure-customers-of-critical-cosmos-db-vulnerability/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter button"> Sign in with Twitter</a>
<hr>
<p>Not a member yet? <a aria-label="Register account" title="Register account" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register">Register Now</a></p>
</div>
</form><form>
<input type="hidden" id="comment-id-report" value="0">
<ul>
<li>
<label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Other">Other</label>
</li>
<li id="comment-report-other-reason-wrap" style="display:none;">
<textarea aria-label="Enter other reason for reporting the comment" rows="2" cols="2" id="comment-report-other-reason"></textarea>
</li>
</ul>
<p>Read our <a href="https://www.bleepingcomputer.com/posting-guidelines/">posting guidelinese</a> to learn what content is prohibited.</p>
</form>Text Content
*
*
*
*
*
*
* News
* Featured
* Latest
* Fake DMCA complaints, DDoS threats lead to BazaLoader malware
* Microsoft warns Azure customers of critical Cosmos DB vulnerability
* Windows 10 upgrades blocked by old CryptoPro CSP versions
* Boston Public Library discloses cyberattack, system-wide technical outage
* Windows 11 to only support one Intel 7th gen CPU, no AMD Zen CPUs
* T-Mobile CEO: Hacker brute-forced his way through our network
* Boston Public Library discloses cyberattack, system-wide technical outage
* Windows 10 upgrades blocked by old CryptoPro CSP versions
* Downloads
* Latest
* Most Downloaded
* Qualys BrowserCheck
* STOPDecrypter
* AuroraDecrypter
* FilesLockerDecrypter
* AdwCleaner
* ComboFix
* RKill
* Junkware Removal Tool
* Virus Removal Guides
* Latest
* Most Viewed
* Ransomware
* How to remove the PBlock+ adware browser extension
* Remove the Toksearches.xyz Search Redirect
* Remove the Smashapps.net Search Redirect
* Remove the Smashappsearch.com Search Redirect
* Remove Security Tool and SecurityTool (Uninstall Guide)
* How to remove Antivirus 2009 (Uninstall Instructions)
* How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
* How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using
TDSSKiller
* Locky Ransomware Information, Help Guide, and FAQ
* CryptoLocker Ransomware Information Guide and FAQ
* CryptorBit and HowDecrypt Information Guide and FAQ
* CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
* Tutorials
* Latest
* Popular
* How to make the Start menu full screen in Windows 10
* How to install the Microsoft Visual C++ 2015 Runtime
* How to open an elevated PowerShell Admin prompt in Windows 10
* How to Translate a Web Page in Google Chrome
* How to start Windows in Safe Mode
* How to remove a Trojan, Virus, Worm, or other Malware
* How to show hidden files in Windows 7
* How to see hidden files in Windows
* Deals
* Categories
* eLearning
* IT Certification Courses
* Gear + Gadgets
* Security
* Forums
* More
* Startup Database
* Uninstall Database
* File Database
* Glossary
* Chat on Discord
* Send us a Tip!
* Welcome Guide
* Home
* News
* Microsoft
* Microsoft warns Azure customers of critical Cosmos DB vulnerability
* AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to
LinkedInLinkedInShare to RedditRedditShare to Hacker NewsHacker NewsShare to
EmailEmail
*
MICROSOFT WARNS AZURE CUSTOMERS OF CRITICAL COSMOS DB VULNERABILITY
By
SERGIU GATLAN
* August 27, 2021
* 08:52 AM
* 0
Microsoft has warned thousands of Azure customers that a now-fixed critical
vulnerability found in Cosmos DB allowed any user to remotely take over other
users' databases by giving them full admin access without requiring
authorization.
Azure Cosmos DB is a globally distributed and fully managed NoSQL database
service used by high-profile customers, including Mercedes Benz, Symantec,
Coca-Cola, Exxon-Mobil, and Citrix.
"Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that
could potentially allow a user to gain access to another customer's resources by
using the account's primary read-write key," the company told customers.
PLAY Top Articles Video Settings Full Screen About Connatix V127634 Read More
Read More Read More Read More Read More Windows 11 to only support one Intel 7th
genCPU, no AMD Zen CPUs 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
"We have no indication that external entities outside the researcher had access
to the primary read-write key associated with your Azure Cosmos DB account(s).
In addition, we are not aware of any data access because of this vulnerability."
The cloud security firm Wiz's research team, who discovered the security flaw,
dubbed it ChaosDB and disclosed it to Microsoft on August 12, 2021.
The bug enabled attackers to exploit a chain of bugs in the Jupyter Notebook
feature, enabled by default and designed to help customers visualize data.
Successful exploitation enabled them to access other users' Cosmos DB
credentials, including their primary key, which provided them with complete and
unrestricted remote access to Microsoft Azure customers' databases and accounts.
"The vulnerability has a trivial exploit that doesn't require any previous
access to the target environment, and impacts thousands of organizations,
including numerous Fortune 500 companies," the researchers said.
ChaoDB exploitation flow (Wiz)
Microsoft disabled the vulnerable entry point feature within 48 hours after
receiving the report and alerted more than 30% of Cosmos DB customers about a
potential security breach on August 26, two weeks after disabling the buggy
Jupyter Notebook feature.
However, according to the Wiz research team, the actual number of impacted
customers is likely a lot larger as it probably includes most Cosmos DB
customers, given that the ChaosDB vulnerability was present and could've been
exploited for months before their disclosure.
To mitigate the risk and block potential attacks, Microsoft advises Azure
customers to regenerate the Cosmos DB Primary Keys that could've been stolen
before the vulnerable feature was disabled.
The company also advised customers to take the following recommended actions to
further secure their Azure Cosmos DB databases:
1. Schedule a regular rotation and regeneration of your primary and secondary
keys.
2. As a standard security best practice, consider using the Azure Cosmos DB
firewall and virtual network integration to control the access to your
accounts at the network level.
3. If you are using the Azure Cosmos DB Core (SQL) API, consider using the
Azure Cosmos DB role-based access control (RBAC) to authenticate your
database operations with Azure Active Directory instead of primary/secondary
keys. With RBAC, you have the option to completely disable your account's
primary/secondary keys.
4. For a complete overview of the security controls available on Azure Cosmos
DB, refer to our security baseline.
Reviewing all past activity on their Cosmos DB accounts is also recommended to
detect previous attempts to exploit this vulnerability.
While, at Microsoft's request, the researchers have not yet released technical
information regarding the ChaosDB flaw that could help threat actors create
their own exploits, they will publish a full technical paper soon.
The Wiz research team has also recently disclosed a new class of DNS
vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could
enable attackers to access sensitive info from corporate networks in what was
described as "nation-state level spying" campaigns.
DISCLOSURE TIMELINE:
* August 09, 2021 - Wiz Research Team first exploited the bug and gained
unauthorized access to Cosmos DB accounts.
* August 12, 2021 - Wiz Research Team sent the advisory to Microsoft.
* August 14, 2021 - Wiz Research Team observed that the vulnerable feature has
been disabled.
* August 16, 2021 - MSRC confirmed the reported behavior (MSRC Case 66805).
* August 16, 2021 - Wiz Research Team observed that some obtained credentials
had been revoked.
* August 17, 2021 - MSRC awarded a $40,000 bounty for the report.
* August 23, 2021 - MSRC confirms that several thousand customers are impacted.
* August 26, 2021 - Public disclosure.
RELATED ARTICLES:
Microsoft: ProxyShell bugs “might be exploited,” patch servers now!
Microsoft Exchange servers are getting hacked via ProxyShell exploits
Microsoft confirms another Windows print spooler zero-day bug
Microsoft fixes Windows Print Spooler PrintNightmare vulnerability
Microsoft August 2021 Patch Tuesday fixes 3 zero-days, 44 flaws
* Azure
* Cosmos DB
* Database
* Microsoft
* Vulnerability
* Facebook
* Twitter
* LinkedIn
* Email
*
SERGIU GATLAN
Sergiu Gatlan is a reporter who covered cybersecurity, technology, Apple,
Google, and a few other topics at Softpedia for more than a decade. Email or
Twitter DMs for tips.
* Previous Article
* Next Article
POST A COMMENT COMMUNITY RULES
YOU NEED TO LOGIN IN ORDER TO POST A COMMENT
Not a member yet? Register Now
YOU MAY ALSO LIKE:
Popular Stories
* Western Digital confirms speed crippling SN550 SSD flash change
* Ragnarok ransomware releases master decryptor after shutdown
NEWSLETTER SIGN UP
To receive periodic updates and news from BleepingComputer, please use the form
below.
NEWSLETTER SIGN UP
* Follow us:
*
*
*
*
MAIN SECTIONS
* News
* Downloads
* Virus Removal Guides
* Tutorials
* Startup Database
* Uninstall Database
* File Database
* Glossary
COMMUNITY
* Forums
* Forum Rules
* Chat
USEFUL RESOURCES
* Welcome Guide
* Sitemap
COMPANY
* About BleepingComputer
* Contact Us
* Send us a Tip!
* Advertising
* Write for BleepingComputer
* Social & Feeds
* Changelog
Terms of Use - Privacy Policy - Ethics Statement
Copyright @ 2003 - 2021 Bleeping Computer® LLC - All Rights Reserved
LOGIN
Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter
--------------------------------------------------------------------------------
Not a member yet? Register Now
REPORTER
HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT?
* Spam
* Abusive or Harmful
* Inappropriate content
* Strong language
* Other
*
Read our posting guidelinese to learn what content is prohibited.
Submitting...
SUBMIT