Microsoft has disclosed another security flaw, and the software giant was forced to inform thousands of Azure customers that their data was freely available. In addition, the exploit affected multiple large-name companies, which allowed unauthorized access to their databases. This vulnerability is being called the “ChaosDB”.
This news comes following a series of severe and embarrassing Windows exploits that left Microsoft playing whack a mole with several patches. These vulnerabilities exploited issues in Windows Print Server and date back to multiple versions of Windows.
The issue is this time with Microsoft Azure’s Cosmos DB database service. Wiz research firm claims that several weaknesses in a Cosmos DB function allowed anyone to download, delete, or manipulate an extensive collection of commercial databases as well as access to the underlying architecture of Cosmos DB.
They blame a series of misconfigurations in Cosmos DB that allowed hackers access to the database. In 2019, Microsoft enabled a new visualization program in Cosmos DB. It then turned it on automatically in February. Unfortunately, it also gave attackers the ability to steal Cosmos DB primary keys, among other things.
Wiz was able to secure long-term access with these keys to all assets and data stored in Azure by companies, some of which are familiar to Fortune 500. This included full read, delete, and write permissions.
Wiz notified Microsoft about the vulnerability, and Microsoft disabled it within 48 hours. The company will redesign it. The visualization option is currently off.
However, customers could still be affected since their direct access keys may have been exposed, Nir Ohfeld of Wiz and Sagi Tzadik from Wiz suggest. These keys are susceptible and could be used by an attacker to access databases. As a result, Microsoft has notified more than 30% of CosmosDB customers that they must manually rotate their access keys to reduce this exposure.
Although this may not include all affected companies, Wiz recommends that all Cosmos DB account owners follow Microsoft’s instructions to rotate and regenerate their keys. Although it’s not clear which companies Microsoft notified of, Cosmos DB customers include brands such as Exxon-Mobil and Quest, Symantec and Citrix.
In a statement to Bloomberg, Microsoft stated that it does not have evidence of the vulnerability allowing data to be exploited.