Healthcare IT News
Microsoft flags Azure database vulnerability for thousands of customers
By: Kat Jercich
Photo: Microsoft sign, Wonderlane/Flickr, licensed under CC0 1.0
Microsoft has flagged a critical vulnerability in its Azure Cosmos DB database that allowed cybersecurity researchers to gain unrestricted access to the accounts of several thousand customers.
According to the security firm Wiz, flaws in a Cosmos DB feature would have enabled any user to download, delete or manipulate many customers' commercial databases.
"While leaky storage buckets get a lot of attention, database exposure is the bigger risk for most companies because each one can contain millions or even billions of sensitive records," wrote Wiz's Nir Ohfeld and Sagi Tzadik in a blog post.
"Every CISO’s nightmare is someone getting their access keys and exfiltrating gigabytes of data in one fell swoop," they added.
"We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under Coordinated Vulnerability Disclosure," a Microsoft spokesperson told Healthcare IT News after publication.
WHY IT MATTERS
Cosmos DB is used by several major healthcare companies, including Allscripts, Siemens Healthineers, Cincinnati Children's Hospital Medical Center, Sentara, Walgreens and Rx.Health.
The discovered loophole was rooted in Cosmos DB's Jupyter Notebook data visualization tool, which was automatically turned on in February 2021.
"A series of misconfigurations in the notebook feature opened up a new attack vector we were able to exploit," wrote Ohfeld and Tzadik. "In short, the notebook container allowed for a privilege escalation into other customer notebooks.
"As a result, an attacker could gain access to customers’ Cosmos DB primary keys and other highly sensitive secrets such as the notebook blob storage access token," they added.
The Wiz team demonstrated the keys could be leveraged for full administrative access to the data stored in the affected accounts.
"We exfiltrated the keys to gain long-term access to the customer assets and data. We could then control the customer Cosmos DB directly from the internet, with full read/write/delete permissions," they said.
The Wiz team said Microsoft immediately moved to address the problem after they flagged it, disabling the vulnerable notebook feature within 48 hours.
As reported by Reuters, the company also notified thousands of its customers about the vulnerability, instructing them to create new keys. It agreed to pay Wiz $40,000 for finding the flaw.
The company's message to customers said there was no evidence the flaw had been exploited, said Reuters. Microsoft said customers who may have been impacted received a notification.
Still, Ohfeld and Tzadik warned that more companies could be in danger.
"The vulnerability has been exploitable for at least several months, possibly years. Every Cosmos DB account that uses the notebook feature or that was created after February 2021 is potentially exposed," they said.
"As a precaution, we urge every Cosmos DB customer to take steps to protect their information," they added.
THE LARGER TREND
As more companies pivot to cloud-based data management, inadvertent information exposure is a growing concern.
Just this week, the cybersecurity company UpGuard released a report saying that it had discovered data leaks from dozens of entities as a result of the default permissions on Microsoft Power Apps portals.
The entities included the Maryland Department of Health and the Indiana Department of Health, the latter of which released a separate report (which UpGuard disputed) saying the company had "inappropriately accessed" the information.
"UpGuard did not exceed our authorized access, and while the data should not have been public, the nature of the data could only be ascertained by downloading and analyzing it," countered the cybersecurity organization.
ON THE RECORD
"Database exposures have become alarmingly common in recent years as more companies move to the cloud, and the culprit is usually a misconfiguration in the customer’s environment. In this case, customers were not at fault," wrote Ohfeld and Tzadik.
