Researchers publish details of the easy-to-exploit ChaosDB vulnerability affecting Azure Cosmos DB database solution

A few months ago a group of researchers discovered the ChaosDB vulnerability, a severe flaw in the Azure Cosmos DB database solution whose exploitation would allow threat actors to access a vulnerable implementation without any restriction. This flaw affected thousands of Microsoft Azure customers, including some of the world’s largest companies.

Because the flaw was considered critical, it took two months for the cybersecurity community to share technical details about this finding, although the wait is finally over. During the BlackHat Europe 2021 event, Wiz researchers were able to share for the first time more technical details of ChaosDB, confirming that it was a critical security risk.

Until this presentation it was only known that ChaosDB is a string of misconfigurations in Cosmos DB derived from the way Microsoft introduced the Jupyter Notebook function. A possible escalation of local privileges would have allowed attackers to obtain a wide range of certificates and private keys in affected deployments.

Now, Wiz confirmed that the successful exploitation of every misconfiguration in Cosmos DB would have allowed threat actors to obtain a large amount of information related to exposed database implementations, including access credentials. In their tests, Wiz’s team managed to abuse these errors to authenticate to more than 100 Cosmos DB control panels to perform subsequent malicious tasks, including extracting authentication tokens.

Because of this attack, it was enough to use a couple of lines of code to evade the security layers in Cosmos DB and access the internal infrastructure of Azure, putting at risk much more than a database. A successful attack would have seriously damaged the Cosmos DB service due to the administrator position occupied by the attacker, and made it almost impossible for a client to implement any defense mechanism in this scenario.

In addition to affecting thousands of customers, Wiz believes the flaw could have also spread to other Microsoft implementations. In one of their tests, the researchers managed to take control of an entire Microsoft product environment using information extracted from a vulnerable implementation to ChaosDB.

Wiz’s work was critical, allowing Microsoft’s security teams to mitigate the risk of exploitation less than a couple of days after receiving the report. Experts also believe that the fact that this flaw affected a cloud deployment could have mitigated the risk, as Microsoft was able to address the flaw more efficiently than if it had been detected in an on-premises environment.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.