Wiz sessions at Black Hat
ChaosDB: How We Hacked Databases of Thousands of Azure Customers
Sagi Tzadik | Security Researcher, Wiz
Nir Ohfeld | Security Researcher, Wiz
Wednesday, November 10 | 11:20am-12:00pm ( Room BC, ICC Capital Suite 12, Level 3 )
Thursday, November 11 | 1:30pm-2:10pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Cloud & Platform Security
In August 2021, the Wiz Research Team uncovered ChaosDB - a critical cross-tenant vulnerability in Azure Cosmos DB, Azure's flagship managed database solution which is used by countless organizations. This vulnerability is every company’s worst nightmare: even a flawless environment is affected. Easily exploitable, this bug allowed any Azure user to have full admin access to thousands of customers' databases, including Fortune 500 companies, without any procedural authorization.
This is an unprecedented cloud vulnerability, considered to be one of the most severe issues ever disclosed in any major cloud platform. This vulnerability triggered many questions regarding the security of managed cloud services. Since this vulnerability allowed stealing long-lasting secrets of the target database, attackers may use these secrets at their convenience, and the only solution is to rotate their secrets and hope they have not been used before.
In this talk, we will take the attacker's point of view and discuss how we exploited a chain of misconfigurations and vulnerabilities in Azure Cosmos DB. From identifying the attack surface through leveraging a complex chain of vulnerabilities that enabled this exploitation, we will uncover obscure mechanisms in Azure's internal infrastructure that we managed to leverage to gain the ability to arbitrarily query data from customers' Cosmos DB instances.
Finally, we will dive deep into the vulnerability's root cause and describe the potential attack vectors and the best practices learned for building more secure cloud services.
Security Industry Call-to-Action: We Need a Cloud Vulnerability Database
Shir Tamari | Head of Research, Wiz
Alon Schindel | Director of Data and Threat Research, Wiz
Thursday, November 11 | 11:20am-12:00pm ( Room D, ICC Capital Suite, Level 3 )
Format: 40-Minute Briefings
Tracks: Cloud & Platform Security, Policy
The shared responsibility model is broken. Companies are unable to keep up with cloud complexity, while vendors and cloud providers do not provide clear identification, tracking or severity for vulnerabilities discovered in their platforms. Moreover there is an inherent lack of transparency, as cloud providers do not share full details of exposure, impact, or mitigation steps for vulnerabilities discovered in their platform.
Join the Wiz Research Team who uncovered several unprecedented cloud vulnerabilities in AWS, GCP and Azure in their journey and conclusions from the disclosure process. We will review key learnings and insights from OMIGOD, ChaosDB and AWS IAM cross-account vulnerabilities we uncovered.
In this session we will make the case for extending the current CVE model to be more cloud friendly as the current model is broken and call everyone to join the movement for change.