critical

ChaosDB

Published Thu, Aug 26th, 2021

Platforms

Summary

Azure's Cosmos DB database service was vulnerable to remote account takeover. Any Azure user could gain full admin access to other customers' Cosmos DB instances without authorization. The vulnerability had a trivial exploit that doesn't require any previous access to the target environment.

Affected Services

Cosmos DB

Remediation

Regenerate primary read/write key.

Tracked CVEs

No tracked CVEs

References

https://chaosdb.wiz.io/https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Mon, Aug 9th, 2021

Exploitability Period

2017 - 2021

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

8.93

(PI:1.5/A1:22/A2:1/A7:1.1/A8:1)

Discovered by

Nir Ohfeld, Sagi Tzadik, Wiz

More vulnerabilities...

medium

Lightsail object storage access keys logged

Lightsail object storage allows the creation of access keys which were logged to CloudTrail (both access key and secret key)

Scott Piper, Summit RouteAug 5, 2021

medium

DHCP abuse for code exec

Under certain conditions, an attacker can flood DHCP packets to the victim VM, allowing it to impersonate the Metadata server, and grant themselves SSH access.

Imre RadJun 25, 2021

high

Privilege escalation on Dialogflow cloud platform

A privilege escalation vulnerability was discovered in Google's Dialogflow cloud platform. When downgrading a user's role from Developer to Reviewer, the permissions were not properly updated, allo...

lalkaJun 13, 2021

View all