Chaos in the cosmos (DB)

06/09/21

A few days ago, while glimmers of coolness crept into the August heat wave, a very important but somewhat provocative question appeared again on professional social media: "How secure is the cloud?"

The main reason for this doubt lay in a vulnerability of a software component described by some researchers of the company Wiz.

Let's try to investigate what happened to understand the risks and solutions.

Microsoft, as part of the cloud solutions that go under the “Azure” umbrella, offers a database solution called CosmosDBThis is a NoSQL database, therefore radically different in structure and performance compared to a relational database such as SQLServer.

The advantages that push small and large companies to adopt a NoSQL database in the cloud are essentially three: storing large amounts of unstructured data, response speed in a few milliseconds and, last but not least, scalability on a global level. These advantages, combined with the power of the cloud, explain the reasons for the success of CosmosDB.

In August 2021 the company Wiz, technically led by Ami Luttwak who recently held the same role at Microsoft Cloud Security Group, informs Microsoft that its research team has identified a vulnerability in a software component used with CosmosDB that is called Jupyter Notebook.

This is a small outline application of the main database engine, which defines itself Open Document Format.

In practice it is a way of representing data that allows you to create and share documents that contain from narrative text to scientific equations, from software code to more complex data as simplified in the image below.

These documents can then be stored in the database, then queried, sorted, extracted, and so on.

Jupyter Notebook it is not born with CosmosDB, but about ten years ago as part of the programming language Python. In 2015 it comes unbundled in a standalone opensource project called Jupyter Project.

Put in the simplest terms possible to understand the risk, the vulnerability of Jupyter Notebook, if exploited with a special exploit coded for the occasion, it allows an attacker to interrogate the component Jupyter Notebook of a database CosmosDB reachable from the Internet, obtaining valid credentials useful for viewing, modifying and deleting data in the user of CosmosDB.

As is always the case when things go pretty well, researchers have given this vulnerability a name by calling it ChaosDB and informed Microsoft according to the dictates of the ResponsibleDisclosure.

The Redmond company reacted promptly in less than 48 hours by disabling this software option which was present by default on all instances CosmosDB regardless of usage and alerted customers of the risk so that they could modify configurations to remedy the risk of potential compromise.

I conclude this discussion with a series of five questions to clarify the real risk, lastly offering my reflection on the subject.

So is the cloud safe?

As can be any implementation reachable by anyone who is authorized and from anywhere on the planet. To increase the level of safety - compared to companies that, as their main activity, do something else - there is the constant and continuous attention of those who generate an important part of their profits on these services and have every interest in the construction and conservation. a relationship of trust based on the integrity of the data, as well as their confidentiality.

But did this vulnerability stay active for months before it was detected?

Like hundreds of thousands of vulnerabilities, some of which remain dormant for years until they are discovered. Microsoft has also confirmed that there is no illegal access to data due to this vulnerability. It should also be remembered that component vulnerability does not necessarily mean platform vulnerability.

How can I protect myself from cloud attacks?

Taking care to always have maximum visibility on your digital environment, in addition to the knowledge of the different configuration options of the instances that are activated in cloud environments. For example, although vulnerable due to a software component such as Jupyter Notebook, a CosmosDB database becomes compromisable only if exposed to public reachability via the internet. And we must not forget the internal risk, deriving from attackers exploiting vulnerabilities from within the security perimeters.

How can I mitigate the risk of this vulnerability?

In addition to guide provided by Microsoft, two days ago the same Wiz published some interesting guidelines on the subject, which can be consulted at this link.

But shouldn't it be Microsoft's responsibility to ensure the security of my cloud account?

No. Or rather, not completely. It is certainly Microsoft's job to ensure that the software and platforms offered as a service remain as free as possible from bugs and vulnerabilities, an activity that is continually carried out by anyone offering cloud services to third parties. In fact, in this case the vulnerability was found in a continuous relationship between Microsoft and its partners aimed at increasing the security of services.

It is also important for users to understand the concept of shared responsibility, which I have talked about in another article in more detail and which I summarize here with an example: let's assume we rent a house equipped with all the most advanced and updated safety features, in order to make it truly a practically impregnable fortress. However, we are the people who are given the keys to open the door of this house. it is we who decide whether when we leave the house we leave the windows ajar; we are also the ones who decide to make a safety copy of the keys to stick them under the umbrella stand with adhesive tape because you never know.

The strength of each chain is equal to its weakest link and often this link is what it is joins the chair to the keyboard.

Marco Rottigni 

Cartoon: Simone Domini

To learn more:

The Jupyter project https://jupyter.org/

Introduction to CosmosDB https://docs.microsoft.com/it-it/azure/cosmos-db/introduction

Wiz's report on the vulnerability https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases

Wiz guidelines on how to mitigate https://www.wiz.io/blog/protecting-your-environment-from-chaosdb