Wiz security researchers have managed to crack the control panel of the underlying service that hosts Azure CosmosDB, which gave them full read and write privileges over all other customer databases on the same cluster.
Using the access they were able to obtain plaintext Primary Keys “for any?Cosmos DB?instance running in our cluster” as well as executing arbitrary code in any other customer’s Jupyter Notebook instances.
“Using just one certificate, we managed to authenticate to internal Service Fabric instances of multiple [Azure Cosmos] regions that were accessible from the internet.”
“We were, just, like, looking for misconfigurations,” one of the Wiz team, researcher Nir Ohfeld, said during an interview with The Register.
“For some unknown reason, the host process for C# specifically was running with root privileges, which meant that any C# code would be executed as root as well. We used this misconfiguration to escalate our privileges inside the container.”
“Between us, we refer it to like escaping the Matrix. We went from being managed by the service to managing the service,” said fellow researcher Sagi Tzadik.
Tzadik added that a malicious person with those keys could have even encrypted every single customer database within reach – potentially thousands, with a bit more lateral movement through the Azure Cosmos management layer.
While the specific vulnerability has now been fixed, the hack revealed poor underlying security practices in Microsoft’s Azure, the crown jewel of the company, which is relied on by spy agencies and governments alike.
A write-up of the full hack can be read on Wiz’s website here.
via The Register