Guidance on Securing Azure Cosmos DB Accounts – Microsoft Shares

Microsoft concerned guidance on securing Azure accounts that may be affected by a actively addresses Cosmos DB sensitive vulnerability, facilitating attackers full admin right to user’s data without authorization.

The bug known as ChaosDB, affects Microsoft Azure Cosmos DB, a widely appropriated NoSQL database assistance utilized by a wide collection of high-profile users, including Citrix, Mercedes Benz, Coca-Cola, Symantec, and Exxon-Mobil.    

The security bug was discovered by the cloud security firm investigator team in the Jupyter Notebook feature (enabled by default). The security flaw was discovering by the cloud security firm research team in the Jupyter Notebook feature enabled by default. Successful exploitation permitted any user to hijack customers’ primary read-write keys, permitting them completely takeover their databases remotely.

Over 30% of Cosmos DB Users Alerted of Probable Hijack  

Microsoft states it “reducing the vulnerability directly” after accepting researcher’s report (the researchers’ timeline shows that the flaw was fixed within 48 hours after the disclosure.) The company also warned over 30% of Cosmos DB users about a probable security hijack on August 26, two weeks after damaging the buggy Jupyter Notebook feature server-side.

Guidance-on-Securing-Azure-Cosmos-DB-Accounts–Microsoft-Shares-image

However, according to researchers, the actual number of harmed customers is likely a lot larger since it would include most Cosmos DB customers, provided that ChaosDB was present and could’ve been exploited for months before the disclosure.

“Our research shows that no customer information was accessed because of this vulnerability by third parties or security researchers,” Microsoft said on Friday. “If you did not get an email or in-portal notification, there is no evidence any other external parties had access to your primary read-write account key.”

How to Mitigate the use of Hijacked Credentials?

To block the risk and block threat actors who might’ve hijacked your Cosmos DB primary read-write keys before the vulnerable feature was disabled, Microsoft suggests regenerating the Cosmos DB keys.

As a best practice to precede secure Azure Cosmos DB account, Microsoft also facilitates the following recommendations:

  • All Azure Cosmos DB customers use a combination of firewall rules, vNet, and/or Azure Private Link on their account.  These network protection mechanisms prevent access from outside your network and unexpected locations.
  • In addition to implementing network security controls, we encourage the use of Role Based Access Control.  Role Based Access Control allows per user and security principal access control to Azure Cosmos DB – those identities can be audited in Azure Cosmos DB’s diagnostic logs.
  • If you cannot use Role Based Access Control, we recommend implementing regularly scheduled key rotations.
  • You can find additional security best practices in the Azure Cosmos DB security baseline documentation.

Microsoft also added that it’s including additional safeguards and observing to detect future attempts to achieve access to its customers’ Cosmos DB accounts without authorization. Customers are also suggested to toggle on Diagnostic Logging and Azure Defender where available to make it easier to spot suspicious activity originating from unusual IP addresses.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also urged Azure Cosmos DB customers to rotate their keys and check Microsoft’s guidance on how to Secure access to data in Azure Cosmos DB. “Although the misconfiguration comes to have been fixed within the Azure cloud, CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate keys,” the cybersecurity agency said.

Leave a Reply