Microsoft fixed four critical vulnerabilities collectively known as OMIGOD, found in the Open Management Infrastructure (OMI) software agent silently installed on Azure Linux machines representing more than half of Azure instances.
OMI is an IT management software service supporting most modern UNIX systems and Linux platforms used by several Azure services including Open Management Suite (OMS), Azure Insights, Azure Automation.
These vulnerabilities were discovered by researchers at cloud security company Wiz, Nir Ohfeld and Shir Tamari, who dubbed them OMIGOD.
“Problem, this ‘secret’ agent is both widely used (because it is open source) and completely invisible to customers because its use within Azure is completely undocumented,” said Ohfeld.
Millions of endpoints exposed to attacks
Researchers “are cautious” that thousands of Azure customers and millions of endpoints are affected by these security vulnerabilities:
- CVE-2021-38647 – RCE not authenticated as root (Severity: 9.8 / 10)
- CVE-2021-38648 – Privilege Escalation Vulnerability (Severity: 7.8 / 10)
- CVE-2021-38645 – Privilege Escalation Vulnerability (Severity: 7.8 / 10)
- CVE-2021-38649 – Privilege Escalation Vulnerability (Severity: 7.0 / 10)
All Azure customers with Linux machines running any of the following tools or services are at risk:
- Azure Automation
- Azure automatic update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure configuration management
- Azure diagnostics
“When users activate one of these popular services, OMI is silently installed on their virtual machine, running with the highest possible privileges,” Ohfeld added. “This is happening without the explicit consent or knowledge of customers. Users simply click accept log collection during setup and they unknowingly chose.”
Other Microsoft customers are also affected by OMIGOD vulnerabilities, as the OMI agent can also be manually installed on-premises as it is integrated with System Center for Linux, which is Microsoft’s server management tool.
“This is a manual RCE vulnerability that you would expect to see in the 90s – it is very unusual to have one in 2021 that could expose millions of endpoints,” Ohfeld added about of bug CVE-2021-38647 RCE.
“With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.
“[T]its vulnerability can also be used by attackers to gain initial access to a target Azure environment and then move laterally within it. “
It is even more serious. The RCE is the simplest RCE you can imagine. Just remove the auth header and you are root. from a distance. on all machines. Is it really 2021? pic.twitter.com/iIHNyqgew4
-Ami Luttwak (ilamiluttwak) September 14, 2021
How to secure your Azure Linux endpoint
“Microsoft has released a corrected IMO version (126.96.36.199). Additionally, Microsoft has advised IMO customers manually, see Microsoft’s suggested steps here,” said Nir Ohfeld, security researcher at Wiz.
“If you have OMI listening on ports 5985, 5986, 1270, we recommend that you immediately limit network access to these ports to protect yourself from the RCE vulnerability (CVE-2021-38647).”
Even though Microsoft introduced an enhanced security commitment on August 11, 2021, effectively laying out all the details necessary for threat actors to develop an exploit, the company did not release a patched version of the OMI software agent until September 8. and only awarded CVEs a week later, as part of this month’s Patch Tuesday.
To make matters worse, there is no automatic update mechanism that Microsoft can use to update vulnerable agents on all Azure Linux machines, which means customers have to upgrade it manually to secure the points. termination against any incoming attack using OMIGOD exploits.
To manually update the OMI agent, you must:
- Microsoft asks Azure Linux admins to manually fix OMIGOD bugs
- Azure users running Linux virtual machines should update their systems immediately
- Microsoft Azure virtual machines exploited to abandon Mirai, miners
- Microsoft Says Azure Users Will Have To Fix These Worrisome Security Flaws On Their Own
- Microsoft fixes a major security flaw in Azure
- Microsoft warns customers that Azure Cosmos DB vulnerability has exposed their databases for years
- Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws
- Microsoft’s Patch Tuesday brings fixes for over 80 vulnerabilities in Windows, Office, Edge, etc.
- Netgear Fixes Serious Security Bugs in Over a Dozen Smart Switches