Recently, Microsoft sent an email to over 3000 companies saying that their Azure database is vulnerable. Companies use Microsoft Azure’s flagship Cosmos DB database to secure their data, but that doesn’t seem to be the case here. According to Reuters, this vulnerability in Microsoft Azure allowed intruders to read and write data from any of these companies. What’s more surprising is that the issue went unnoticed for 2 years.
Using this vulnerability, intruders could have the ability to read, change or even delete their main databases. Some affected organizations included Fortune 500 companies such as Coca-Cola, Skype, Bentley, Rolls-Royce, Diply, Symantec, and Zeiss.
Fortunately, the vulnerability in Microsoft Azure was discovered by a security company, Wiz. The company then dubbed this exploit “ChaosDB.” It involved a misconfiguration in the visualization tool called Jupyter Notebook. This tool was enabled by default in Microsoft Azure Cosmos DB. Using this, the security team at Wiz successfully accessed data from other Cosmos DB accounts.
Microsoft Azure Fix
The security company then reported the issue on August 12th, with Microsoft deploying a quick fix by the 14th. However, since the vulnerability was live for so long, there was a chance that someone could still have access keys. Microsoft has since notified over 30% of Cosmos DB customers that they need to change their access keys.
Wiz still believes that many more companies could be at risk as Microsoft only reached out to some Cosmos DB customers. They then recommended that all Cosmos DB customers take steps to protect their information. Changing your access keys can help mitigate the exposure.
How to change Microsoft Azure Cosmos DB access keys?
1. Navigate to your Microsoft Azure Cosmos DB account on the Azure portal.
2. Select Keys from the left menu, then select Regenerate Primacy/Secondary Key from the ellipses on the right side of your primary/secondary key.
3. You can now validate that the new secondary key works consistently against your Azure Cosmos DB account.
Note: Key regeneration can take anywhere from one minute to multiple hours, depending on the size of the Cosmos DB account.
4. Replace your primary key with the secondary key in your application.
5. Go back to the Microsoft Azure portal and trigger the regeneration of the primary/secondary key.
Note: You can learn more about securing access to data in the Microsoft Azure Cosmos DB by reading this link.