Microsoft Patches Major Flaw in Azure

Posted on August 27, 2021 by Paul Thurrott in Cloud with 5 Comments

Microsoft has acknowledged a recently-discovered flaw in its Azure-based Cosmos DB database that left over 3,000 customers open to attack. But the software giant says that no customers were exploited, and it has fixed the flaw.

“There is no evidence of this technique being exploited by malicious actors,” a Microsoft statement notes. “We are not aware of any customer data being accessed because of this vulnerability.”

The vulnerability was discovered by a security company named Wiz, which hyperbolically described it as “the worst cloud vulnerability you can imagine.” As Han Solo once noted, however, “I don’t know, I can imagine quite a bit.”

“Customers like Coca-Cola, Exxon-Mobil, and Citrix use Cosmos DB to manage massive amounts of data from around the world in near real-time,” a Wiz blog post about its discovery explains. “A series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete, or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.”

Wiz named the flaw “#ChaosDB,” and claims that exploiting it was “trivial.” Microsoft paid the firm $40,000 for its discovery.

“We fixed this issue immediately to keep our customers safe and protected,” Microsoft added. “We thank the security researchers for working under coordinated vulnerability disclosure.”

Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (5)

5 responses to “Microsoft Patches Major Flaw in Azure”

  1. viperx2352

    Thank you for reporting this as it is. I have seen this so many other places and it is nothing but clickbait headlines, and the stories sound so much worse! Thank you for doing an awesome job in general as well!

  2. dougkinzinger

    Paul's a great and fair reporter. But I might take a bit of issue with the headline. It isn't really a flaw in Azure per se, but is instead a flaw in an Azure-hosted database engine.

  3. rm

    Interesting that none of Microsoft's security monitoring detected this...

    • rmaclean

      Based on the description, I'm assuming this wasn't something that automated tools detect, like buffer overflow or SQL injection. Rather this was a way of it working that had an unintended side effect of extending access

    • curtisspendlove

      It would have been pretty tricky to automatically detect.

      It relied on a combination of a privilege escalation vulnerability and a version of a “man-in-the-middle” attack.

      But it’s *really* bad. It exposes private keys which hand over the entire kingdom to the attacker. They get full access to the entire DB permanently (until the keys are manually rotated).

      But good on Microsoft for fixing it so quickly and paying a bounty. This is an excellent example of “white hat hacking” done right.

Leave a Reply