Microsoft Azure Cosmos DB Vulnerability Advisory | August 2021

Security researchers announced a vulnerability, ChaosDB, that was associated with the cloud based Microsoft Azure Cosmos Database (Cosmos DB). Here's what you need to know.

Background

On August 26, 2021, security researchers from the cyber security company Wiz announced a vulnerability, dubbed ChaosDB, that was associated with the cloud based Microsoft Azure Cosmos Database (Cosmos DB). The vulnerability, while critical, poses no immediate threat to organizations as Microsoft patched the issue and contacted impacted customers. Regardless, Microsoft is advising all to rotate and regenerate keys (instructions available in this article). This vulnerability highlights the potential risks in cloud based services.

Quick facts: what you need to know now 

  • Wiz security researchers identified a vulnerability that allowed them to gain access to private keys of other customer’s Cosmos DB instances. 
  • This would provide unauthorized users the ability to read, download, or delete data. 
  • Wiz Security reported the vulnerability to Microsoft in early August and removed the vulnerability within 48 hours.
  • Your clients’ Azure software has already been updated and secured by Microsoft, so there is no imminent threat.

Next Steps for All Microsoft Azure Cosmos DB Customers:

While there is no immediate concern, here are some short term immediate remediation steps. 

  1. Regenerate CosmosDB primary keys. 
    1. There is a Microsoft guide with additional details. 
  2. Limit network access to your Cosmos DB instance (this is especially important if your account’s keys cannot be regenerated).
    1. There are two ways to limit access:
      1. External Access: If external access is required, use firewall rules to only allow access from trusted external networks (e.g. your own IP address space). This Microsoft guide outlines the steps.
      2. Internal Azure Tenant Access: When possible, restrict access to only your virtual networks. This Microsoft guide outlines the steps.
    2. Where possible, ensure “Accept connections from within public Azure datacenters” on the “Exceptions” menu is not selected. Note that this could have an adverse impact on functionality so testing will be required.