Full Report
This is the full story of the Azure ChaosDB Vulnerability that was discovered and disclosed by the Wiz Research Team, where we were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers.
Analysis Summary
# Vulnerability: Azure Cosmos DB Jupyter Notebook Unrestricted Access Chain
## CVE Details
- CVE ID: Not explicitly provided in the text, but the vulnerability was disclosed and the feature subsequently disabled.
- CVSS Score: Not explicitly provided.
- CWE: Likely related to CWE-269 (Improper Privilege Management) and CWE-284 (Improper Access Control).
## Affected Systems
- Products: Microsoft Azure Cosmos DB (specifically instances utilizing the embedded Jupyter Notebook container feature).
- Versions: Undetermined, but applied to any active deployment of the Jupyter Notebook container functionality within Cosmos DB prior to mitigation.
- Configurations: Any Azure Cosmos DB instance where the Jupyter Notebook feature was enabled and running.
## Vulnerability Description
The vulnerability was a chain of misconfigurations within the embedded Jupyter Notebook container functionality in Azure Cosmos DB.
1. **Local Privilege Escalation (LPE):** When executing C# code within the Jupyter Notebook, the host process ran with **root privileges**, while other languages (like Python) ran as an unprivileged user (`cosmosuser`). This allowed an attacker to execute arbitrary C# code to escalate privileges to root inside the container (e.g., by modifying `/etc/passwd`).
2. **Unrestricted Network Access:** Once root access was obtained, the attacker could use `iptables –F` to clear local firewall rules, granting unrestricted network access from the container.
3. **Data Exfiltration/Service Takeover:** With root access and network access, the attacker could query the Instance Metadata Service (IMDS) to retrieve internal keys, query the WireServer for internal certificates and private keys, list running Service Fabric applications, and ultimately obtain the **Primary Key** for other customers' Cosmos DB databases, leading to administrative access across potentially thousands of customer databases, including Fortune 500 companies.
## Exploitation
- Status: **Exploited prior to public disclosure (Exploited in the wild)**. Wiz Research Team successfully executed the chain, gaining evidence of administrative access to thousands of customer databases.
- Complexity: **Medium** (Required chaining multiple distinct misconfigurations, though the initial LPE trigger was simple C# execution).
- Attack Vector: **Network** (Attacker only needed access to the vulnerable container environment, often via an existing authenticated session or service hook into the Notebook environment).
## Impact
- Confidentiality: **Complete** (Access to internal keys, certificates, and all customer data within affected databases).
- Integrity: **Complete** (Ability to modify, delete, or create data in customer databases).
- Availability: **High** (Potential to disrupt database operations via service takeover mechanisms).
## Remediation
### Patches
- The vulnerable feature was **disabled** by Microsoft shortly after disclosure (August 14, 2021). Specific version updates related to fixing the underlying host process privilege escalation were not detailed, as the feature itself was taken offline.
### Workarounds
- **Disable or cease use of the embedded Azure Cosmos DB Jupyter Notebook functionality.** (This was the immediate mitigation taken by Microsoft).
## Detection
- **Indicators of Compromise (IoCs):**
- Unusual outbound network connections originating from the Jupyter Notebook environment pointing to internal/metadata endpoints (`169.254.169.254`).
- Modification to the container's operating system files (e.g., `/etc/passwd`).
- **Detection Methods and Tools:** Monitoring container runtime behavior for execution of system commands like `iptables`, `su`, or attempts to query attached metadata services from within the notebook environment should raise high-severity alerts. Security monitoring of internal network flow originating from Cosmos DB processes is critical.
## References
- Vendor Advisory/Disclosure: Wiz Research Blog on ChaosDB, August 2021.
- Relevant links:
- hxxps://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases