Microsoft Patches Major Flaw in Azure

Microsoft has acknowledged a recently-discovered flaw in its Azure-based Cosmos DB database that left over 3,000 customers open to attack. But the software giant says that no customers were exploited, and it has fixed the flaw.

“There is no evidence of this technique being exploited by malicious actors,” a Microsoft statement notes. “We are not aware of any customer data being accessed because of this vulnerability.”

The vulnerability was discovered by a security company named Wiz, which hyperbolically described it as “the worst cloud vulnerability you can imagine.” As Han Solo once noted, however, “I don’t know, I can imagine quite a bit.”

“Customers like Coca-Cola, Exxon-Mobil, and Citrix use Cosmos DB to manage massive amounts of data from around the world in near real-time,” a Wiz blog post about its discovery explains. “A series of flaws in a Cosmos DB feature created a loophole allowing any user to download, delete, or manipulate a massive collection of commercial databases, as well as read/write access to the underlying architecture of Cosmos DB.”

Wiz named the flaw “#ChaosDB,” and claims that exploiting it was “trivial.” Microsoft paid the firm $40,000 for its discovery.

“We fixed this issue immediately to keep our customers safe and protected,” Microsoft added. “We thank the security researchers for working under coordinated vulnerability disclosure.”

Tagged with

Share post

Conversation 5 comments

  • viperx2352

    Premium Member
    27 August, 2021 - 10:10 am

    <p>Thank you for reporting this as it is. I have seen this so many other places and it is nothing but clickbait headlines, and the stories sound so much worse! Thank you for doing an awesome job in general as well!</p>

  • dougkinzinger

    Premium Member
    27 August, 2021 - 11:23 am

    <p>Paul’s a great and fair reporter. But I might take a bit of issue with the headline. It isn’t really a flaw in Azure <em>per se</em>, but is instead a flaw in an Azure-hosted database engine.</p>

  • rm

    27 August, 2021 - 11:38 am

    <p>Interesting that none of Microsoft’s security monitoring detected this…</p>

    • rmaclean

      28 August, 2021 - 3:43 am

      <p>Based on the description, I’m assuming this wasn’t something that automated tools detect, like buffer overflow or SQL injection. Rather this was a way of it working that had an unintended side effect of extending access</p>

    • curtisspendlove

      28 August, 2021 - 10:23 am

      <p>It would have been pretty tricky to automatically detect. </p><p><br></p><p>It relied on a combination of a privilege escalation vulnerability and a version of a “man-in-the-middle” attack. </p><p><br></p><p>But it’s *really* bad. It exposes private keys which hand over the entire kingdom to the attacker. They get full access to the entire DB permanently (until the keys are manually rotated). </p><p><br></p><p>But good on Microsoft for fixing it so quickly and paying a bounty. This is an excellent example of “white hat hacking” done right. </p>

Newsletter

Stay up to date with the latest tech news from Thurrott.com!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2023 BWW Media Group