Microsoft Azure Cosmos Database Vulnerability: ChaosDB Exposure Details

Microsoft has fixed a critical Azure Cosmos database vulnerability called ChaosDB, which was discovered by cloud security startup Wiz. Still, MSSPs and MSPs should advise their Azure Cosmos customers to regenerate the Cosmos DB Primary Keys, Microsoft says.

The reason: The vulnerability had been exploitable for months and every Cosmos DB customer  should assume they’ve been exposed, Wiz researchers say. Microsoft apparently has thousands of Cosmos DB customers worldwide -- including Fortune 500 and Global 2000 businesses.

The Wiz ChaosDB research and associated alert to Microsoft may have saved Azure customers from probing eyes. Now patched, the critical vulnerability allowed any Azure user full admin access (read, write, delete) to another customers' Cosmos DB instances without authorization, Wiz asserts.

Microsoft Explains ChaosDB Vulnerability to Azure Database Cloud Customers

Microsoft's official ChaosDB statement said:

"Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer's resources by using the account's primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.

We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorized access. Out of an abundance of caution, we are notifying you to take the following actions as a precautionary measure."

ChaosDB Vulnerability: Who Is Wiz?

Per Microsoft's request, Wiz is currently not releasing any technical information about the ChaosDB vulnerability. Wiz plans to publish a full technical paper about the vulnerability in the near future, the company said.

Wiz is an Israeli cloud security startup launched by Microsoft veterans. The company raised $130 million in Series B funding in March 2021, bring its valuation to $1.7 billion at the time.

Wiz offers a full stack security platform that connects to a multi-cloud environment in 15 minutes, CEO Assaf Rappaport has previously asserted. The platform can scan within an organization’s virtual machines (VMs) and containers without an agent.

Microsoft Under Pressure to Improve Security

The ChaosDB vulnerability surfaces one day after the CEOs of Microsoft, Google parent Alphabet, Amazon, Apple, IBM and other technology giants met with President Biden to discuss next steps on U.S. cybersecurity.

Amid the meeting with Biden at the Whitehouse, Microsoft vowed to spend $20 billion on cybersecurity over the next five years. Still, it's unclear how that figure will be assigned across Microsoft's people, product, process and partner priorities.

Microsoft's products remain prime targets for cyberattacks. The high-profile SolarWinds Orion attack ultimately extended to Microsoft's products. And more recently, multiple vulnerabilities have rocked Microsoft Exchange's on-premises software.

Microsoft Builds MSSP Relationships

On a more positive note, Microsoft has a growing ecosystem of MSSP and MDR (managed detection and response) partners that are well-positioned to assist customers with Azure-focused managed security services.

Indeed, the Microsoft Intelligent Security Association (MISA) has grown to include 67 MSSP members that support 165 managed security services offers, Microsoft said in mid-2021.

MISA is an independent ecosystem of software vendors, MSSPs and MDR partners that have integrated their solutions to better defend partners and customers from cyberattacks, Microsoft says.

The overall MISA organization, now led by Maria Thomson, spans 246 member companies — up from 133 in 2021 and 57 in 2020, Thomson disclosed in a July 2021 blog.  The current count includes 176 independent software vendors (ISVs) creating 259 integrations.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.