Homepage > Microsoft fixes critical bugs in secretly installed Azure Linux application

Microsoft fixes critical bugs in secretly installed Azure Linux application

Microsoft fixes critical bugs affecting more than 50% of Azure instances

Microsoft fixed four critical vulnerabilities collectively known as OMIGOD, found in the Open Management Infrastructure (OMI) software agent silently installed on Azure Linux machines representing more than half of Azure instances.

OMI is an IT management software service supporting most modern UNIX systems and Linux platforms used by several Azure services including Open Management Suite (OMS), Azure Insights, Azure Automation.

These vulnerabilities were discovered by researchers at cloud security company Wiz, Nir Ohfeld and Shir Tamari, who dubbed them OMIGOD.

“Problem, this ‘secret’ agent is both widely used (because it is open source) and completely invisible to customers because its use within Azure is completely undocumented,” said Ohfeld.

Millions of endpoints exposed to attacks

Researchers “are cautious” that thousands of Azure customers and millions of endpoints are affected by these security vulnerabilities:

  • CVE-2021-38647 – RCE not authenticated as root (Severity: 9.8 / 10)
  • CVE-2021-38648 – Privilege Escalation Vulnerability (Severity: 7.8 / 10)
  • CVE-2021-38645 – Privilege Escalation Vulnerability (Severity: 7.8 / 10)
  • CVE-2021-38649 – Privilege Escalation Vulnerability (Severity: 7.0 / 10)

All Azure customers with Linux machines running any of the following tools or services are at risk:

  • Azure Automation
  • Azure automatic update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure configuration management
  • Azure diagnostics

“When users activate one of these popular services, OMI is silently installed on their virtual machine, running with the highest possible privileges,” Ohfeld added. “This is happening without the explicit consent or knowledge of customers. Users simply click accept log collection during setup and they unknowingly chose.”

Other Microsoft customers are also affected by OMIGOD vulnerabilities, as the OMI agent can also be manually installed on-premises as it is integrated with System Center for Linux, which is Microsoft’s server management tool.

“This is a manual RCE vulnerability that you would expect to see in the 90s – it is very unusual to have one in 2021 that could expose millions of endpoints,” Ohfeld added about of bug CVE-2021-38647 RCE.

“With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.

“[T]its vulnerability can also be used by attackers to gain initial access to a target Azure environment and then move laterally within it. “

How to secure your Azure Linux endpoint

“Microsoft has released a corrected IMO version ( Additionally, Microsoft has advised IMO customers manually, see Microsoft’s suggested steps here,” said Nir Ohfeld, security researcher at Wiz.

“If you have OMI listening on ports 5985, 5986, 1270, we recommend that you immediately limit network access to these ports to protect yourself from the RCE vulnerability (CVE-2021-38647).”

Even though Microsoft introduced an enhanced security commitment on August 11, 2021, effectively laying out all the details necessary for threat actors to develop an exploit, the company did not release a patched version of the OMI software agent until September 8. and only awarded CVEs a week later, as part of this month’s Patch Tuesday.

To make matters worse, there is no automatic update mechanism that Microsoft can use to update vulnerable agents on all Azure Linux machines, which means customers have to upgrade it manually to secure the points. termination against any incoming attack using OMIGOD exploits.

To manually update the OMI agent, you must:

Similar Posts:

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on Top - Get the daily news in your inbox

Recent Articles

Most Popurlar

Trending this Week

Similar Posts: