The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging all public and private sector organizations to address a recently discovered vulnerability in the Jupyter Notebook feature of Azure Cosmos DB. The vulnerability, dubbed ChaosDB, was recently publicly disclosed by cloud security firm Wiz, around a week after the company notified Microsoft about the flaw.
The flaw in the Jupyter Notebook feature of Azure Cosmos DB allows an attacker to obtain valid credentials that would give them full administrative rights and allow them to take control of Cosmos DB accounts. Microsoft confirmed the vulnerability exists as said an attacker could potentially gain access to another customer’s resources by using the account’s primary read-write key. Microsoft said it mitigated the vulnerability immediately after being notified about the flaw.
Microsoft said the flaw has not been exploited in the wild by any third-parties or security researchers to gain access to customer data. Notifications have been sent to all customers whose keys were potentially affected by the activity of the researchers to get them to regenerate their primary read-write keys.
The vulnerability only affects customer that have the Jupyter Notebook feature enabled. Other keys such as the secondary read-write key, primary read-only key, and secondary read-only key were not vulnerable at any point.
Microsoft has also recommended best practices to adopt to improve security of Azure Cosmos DB. These include the use of network protection mechanisms such as firewall rules, vNet, and/or Azure Private Link on accounts, implementing Role Based Access Control, and enabling Diagnostic Logging and Azure Defender if available. Once Diagnostic Logging has been enabled, users should conduct audits of the Azure Cosmos DB diagnostic logs and should look for any unusual IP addresses. If it is not possible to use Role Based Access Control, Microsoft recommends implementing regularly scheduled key rotations.