Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that attackers might have the ability to read, alter or even delete their key databases, according to a copy of the e. -mail and a cyber security researcher.
The vulnerability is in the core Cosmos DB database of Microsoft Azure. A research team at security firm Wiz found that he was able to access keys that control access to databases maintained by thousands of companies. Wiz’s chief technology officer, Ami Luttwak, is a former chief technology officer for Microsoft’s Cloud Security Group.
Since Microsoft cannot change these keys itself, it emailed customers on Thursday asking them to create new ones. Microsoft agreed to pay Wiz $40,000 (about Rs. 30 lakhs) to find the fault and report it, according to an email sent to Wiz.
“We fixed this issue immediately to keep our customers safe and secure. We thank security researchers for working under coordinated vulnerability disclosure,” Microsoft told Reuters.
Microsoft’s email to customers said there was no evidence that the flaw had been exploited. “We have no indication that external entities outside the researcher (Wiz) had access to the read-write primary key,” the email said.
“This is the worst cloud vulnerability you can imagine. It’s an enduring secret,” Luttwak told Reuters. “This is Azure’s central database, and we were able to get access to any customer database we wanted.”
Luttwak’s team found the issue, dubbed ChaosDB, on Aug. 9 and notified Microsoft on Aug. 12, Luttwak said.
The flaw was in a visualization tool called Jupyter Notebook, which has been around for years, but was enabled by default in Cosmos as of February. After Reuters reported the crash, Wiz detailed the problem in a blog post.
Luttwak said that even customers who have not been notified by Microsoft can have their keys stolen by intruders, giving them access until those keys are changed. Microsoft only told customers whose keys were visible this month when Wiz was working on the issue.
Microsoft told Reuters that “customers who may have been affected have received notification from us” without giving further details.
The release comes after months of bad security news for Microsoft. The company was violated by the same suspected Russian government hackers who infiltrated SolarWinds, who stole Microsoft’s source code. Then a large number of hackers broke into Exchange email servers while a patch was being developed.
A recent fix for a printer failure that allowed computers to be purchased had to be redone several times. Another Exchange glitch last week generated an urgent warning from the US government that customers need to install patches released months ago because ransomware gangs are now exploiting it.
The problems with Azure are of particular concern as Microsoft and outside security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security.
But while cloud attacks are rarer, they can be more devastating when they occur. What’s more, some are never released.
A federally contracted research lab tracks all known security flaws in the software and classifies them according to severity. But there is no equivalent system for flaws in cloud architecture, so many critical vulnerabilities remain undisclosed to users, Luttwak said.
© Thomson Reuters 2021