Full Report
A summary and recording of Wiz's talk at BlackHat Europe 2021: the full extent of ChaosDB, the impact it had, and the questions it raises about security in managed cloud services.
Analysis Summary
# Vulnerability: ChaosDB - Unrestricted Access in Azure Cosmos DB via Jupyter Notebook Misconfigurations
## CVE Details
- CVE ID: Not explicitly detailed in the provided text. The issue was disclosed in August 2021 by Wiz Research.
- CVSS Score: Not explicitly listed, but described as **"severe"** and bordering on a **"service takeover vulnerability."**
- CWE: Chain of misconfigurations, likely related to Improper Access Control or Insufficient Isolation.
## Affected Systems
- Products: Microsoft Azure Cosmos DB service, specifically where the Jupyter Notebook feature was introduced.
- Versions: Instances utilizing the bundled/auto-enabled Jupyter Notebook feature in Cosmos DB.
- Configurations: Default configurations where the Jupyter Notebook feature was auto-enabled for Cosmos DB accounts without explicit customer action.
## Vulnerability Description
ChaosDB is a chain of severe misconfigurations found within Microsoft's Azure Cosmos DB service, stemming from flaws in how the Jupyter Notebook feature was integrated. The vulnerability allowed an unprivileged attacker to chain local privilege escalation with unrestricted network access, ultimately leading to the extraction of service certificates and private keys. This allowed the attacker to gain admin access to the underlying Service Fabric instances powering Cosmos DB management panels (over 100 instances were accessed). As an admin on these panels, researchers could retrieve information for *every* Cosmos DB account in a regional cluster, including authentication tokens, effectively breaking cloud isolation layers and achieving an "account-to-service takeover" level of access.
## Exploitation
- Status: **Exploited in the wild** (by the researchers who discovered it).
- Complexity: Implied to be **Low to Medium** for the initial entry/chaining process, as the researchers achieved service takeover in less than a week. The core weakness was due to default configurations.
- Attack Vector: **Network** (via the compromised service feature) leading to **Adjacent** and **Internal Infrastructure** compromise.
## Impact
- Confidentiality: **Severe.** Led to the compromise of private keys, internal secrets, and authentication tokens for thousands of customer databases and the Azure control plane.
- Integrity: **Severe.** Ability to authenticate as admin to management panels and manipulate data/service configurations.
- Availability: **Potential Severe.** Researchers noted the ability to potentially damage the underlying Cosmos DB service due to admin position within it.
## Remediation
### Patches
- Microsoft's Security Team mitigated the vulnerability on their end in **less than 48 hours** after receiving the report. Specific version numbers for patched configurations are not provided, but the fix was applied server-side by Microsoft.
### Workarounds
- Customers are advised to read the Wiz mitigations blog post for non-patch specific actions (likely related to configuration settings or feature disabling). The text notes that customers *do* have to take manual actions to be fully mitigated, even though the core flaw was server-side.
## Detection
- Indicators of compromise could include unauthorized access or modifications within the underlying Azure Service Fabric orchestration layer related to Cosmos DB management or unusual network activity originating from the management plane accessing customer data.
- Detection methods would likely rely on Azure internal monitoring systems since the flaw breached cloud isolation; customer-side detection was said to be nearly impossible as the vulnerability was fundamentally based on default, server-side flaws.
## References
- Vendor advisories: N/A (Specific CVE not listed, remediation timeline provided by researcher report).
- Relevant links - defanged:
- BlackHat Europe 2021 Session: hxxps://www.blackhat.com/eu-21/briefings/schedule/#chaosdb-how-we-hacked-databases-of-thousands-of-azure-customers-25200
- Wiz Mitigations Post: hxxps://www.wiz.io/blog/protecting-your-environment-from-chaosdb
- Wiz Technical Deep Dive: hxxps://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough