About two weeks ago, researchers at Wiz disclosed finding a critical flaw in Azure Container databases that made it possible for users to gain complete unrestricted access to the accounts and instances of other users. Since the entities that use Microsoft Azure are typically large corporations, the implications of this lapse could be dire. However, as Microsoft states now, the vulnerability hasn’t caused any actual damage to anyone, and the firm’s investigators haven’t found any signs of malicious access on any of the vulnerable customers.
Those who have received a notification on how to secure their ACI (Azure Container Instances) should revoke any privileged credentials deployed prior to August 31, 2021, and apply the best security practices that are laid out on the platform’s website. Note that revoking privileged credentials frequently is a standard security practice that should be followed anyway. Those who haven’t received a notification don’t need to do anything at all and should be totally safe from unauthorized access. The vulnerability has been fixed now. If you’re unsure about something or if you may have missed the alert, you are advised to contact Azure Support from here.
The issue with the bug discovered by Wiz is that it’s the second-worst possible scenario for cloud computing, only after leaving a database online without setting a password to protect it. The second worrying element is that the flaw has existed since 2019, as it was introduced through the ‘Jupyter Notebook’ feature. However, Microsoft only made this active by default in February 2021, so not all ACI were vulnerable to unauthorized access. Still, the period of exposure is alarmingly lengthy.
Microsoft disabled the feature 48 hours after they were alerted by Wiz, and at that time, it was active in 30% of its Azure userbase. The notifications were distributed only to those affected by Wiz’s research and had their databases accessed by the white-hat hackers. As such, not the entire 30% has been advised to rotate and regenerate their access keys, even if they should.
The tech giant is now assuring everyone that nothing bad has happened and everything has been fixed already, so they’re playing down the incident in the boldest possible way. Of course, we would never dispute Microsoft’s internal investigation findings, but you should follow the recommended security practices out of an abundance of caution.