Full Report
Wiz Research found an unprecedented critical vulnerability in Azure Cosmos DB. The vulnerability gives any Azure user full admin access (read, write, delete) to another customers Cosmos DB instances without authorization.
Analysis Summary
This summary is based on the information provided about the "ChaosDB" vulnerability in Azure Cosmos DB, discovered by Wiz Research.
# Vulnerability: Critical Credential Exposure in Azure Cosmos DB Jupyter Notebook Feature (ChaosDB)
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided, but described as **unprecedented critical vulnerability**.
- CWE: Not explicitly provided, but likely related to Improper Access Control or Sensitive Data Exposure related to service features.
## Affected Systems
- Products: **Azure Cosmos DB**
- Versions: **Any Cosmos DB account that had the Jupyter Notebook feature enabled.** (The Jupyter notebook feature was automatically enabled for all new Cosmos DBs after February 2021).
- Configurations: Affected if the Jupyter Notebook feature was enabled **AND** allowed access from external IPs (which is common due to firewall exceptions like "Allow traffic for Azure data centers").
## Vulnerability Description
The vulnerability stems from the Jupyter Notebook feature integrated into Azure Cosmos DB (added in 2019). An attacker could manipulate their local Jupyter Notebook environment to escalate privileges and gain full administrative access (read, write, delete) to *other customers'* Cosmos DB instances, potentially exposing sensitive data, including Cosmos DB primary keys.
## Exploitation
- Status: The context implies capability for **Authorization Bypass/Privilege Escalation** leading to secrets exposure. Exploitation methods and PoC details are described in the referenced BlackHat talk and initial blog post, suggesting high risk.
- Complexity: Implied **Medium to High** dependency on the attacker being an existing Azure user/tenant with access to create/manipulate a notebook environment.
- Attack Vector: Likely **Network** (Leveraging cross-tenant cloud service access).
## Impact
- Confidentiality: **Complete exposure** (Ability to read/steal primary keys and data).
- Integrity: **High** (Ability to modify/delete data).
- Availability: **High** (Ability to delete resources).
## Remediation
### Patches
- Microsoft security teams **disabled the vulnerable notebook service** upon reporting.
### Workarounds
1. **Regenerate Primary Keys:** Security teams must instruct all DB owners to replace their Cosmos DB primary keys for all potentially affected accounts (including those that appear isolated). The secondary key remains valid and can be used temporarily during rotation.
2. **Reduce Network Exposure:** Limit network exposure by moving away from open firewall rules (like "Allow traffic for Azure data centers") toward tighter controls, ideally using **Private Endpoints** to eliminate cross-tenant access.
## Detection
- **Checking for Jupyter Notebooks:**
1. Navigate to the Cosmos DB resource in the Azure portal.
2. Click **Export template**.
3. Search the template JSON for the block starting with `"type": "Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces"`. If found, Jupyter Notebook was enabled.
*(Note: The `nslookup` method mentioned previously is deprecated.)*
- **Monitoring Remediation:** Wiz users can use specific queries to tag Cosmos DBs that have not recently rotated their keys and monitor their effective network exposure.
## References
- Vendor advisories: CISA guidance recommends key regeneration for all Azure Cosmos DBs.
- Relevant links - defanged:
- Initial Exploit Details: [wiz dot io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases]
- BlackHat Presentation: [youtube dot com/watch?v=QiJAxo30w6U]