Microsoft fixed four critical vulnerabilities collectively known as OMIGOD, found in the Open Management Infrastructure (OMI) software agent silently installed on Azure Linux machines representing more than half of Azure instances.
IMO is an IT management software service supporting most modern UNIX systems and Linux platforms, used by several Azure services including Open management suite (SMO), Azure Insights, Azure Automation.
These vulnerabilities were discovered by researchers at cloud security company Wiz, Nir Ohfeld and Shir Tamari, who dubbed them OMIGOD.
“Problem, this ‘secret’ agent is both widely used (because it is open source) and completely invisible to customers because its use within Azure is completely undocumented”, Ohfeld said.
Millions of endpoints exposed to attacks
Researchers “are cautious” that thousands of Azure customers and millions of endpoints are affected by these security vulnerabilities:
- CVE-2021-38647 – RCE not authenticated as root (Severity: 9.8 / 10)
- CVE-2021-38648 – Privilege escalation vulnerability (Severity: 7.8 / 10)
- CVE-2021-38645 – Privilege escalation vulnerability (Severity: 7.8 / 10)
- CVE-2021-38649 – Privilege escalation vulnerability (Severity: 7.0 / 10)
All Azure customers with Linux machines running any of the following tools or services are at risk:
- Azure Automation
- Azure automatic update
- Azure Operations Management Suite (OMS)
- Azure Log Analysis
- Azure configuration management
- Azure diagnostics
“When users activate any of these popular services, OMI is silently installed on their virtual machine, running with the highest possible privileges.” Ohfeld added. “This is happening without the explicit consent or knowledge of customers. Users simply click accept log collection during setup and they unknowingly chose.”
Other Microsoft customers are also affected by OMIGOD vulnerabilities, as the OMI agent can also be manually installed on-premises as it is integrated with System Center for Linux, which is Microsoft’s server management tool.
“This is a manual RCE vulnerability that you would expect to see in the 90s – it is very unusual to have one in 2021 that could expose millions of endpoints,” Ohfeld added about of bug CVE-2021-38647 RCE.
“With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.
“[T]its vulnerability can also be used by attackers to gain initial access to a target Azure environment and then move laterally within it. “
It is even more serious. The RCE is the simplest RCE you can imagine. Just remove the auth header and you are root. from a distance. on all machines. Is it really 2021? pic.twitter.com/iIHNyqgew4
– Ami Luttwak (@amiluttwak) September 14, 2021
How to secure your Azure Linux endpoint
Microsoft has released a corrected OMI version (1.6.8-1). Additionally, Microsoft has advised customers to manually update OMI, see Microsoft Suggested Steps here“said Nir Ohfeld, security researcher at Wiz.
“If you have OMI listening on ports 5985, 5986, 1270, we recommend that you immediately limit network access to these ports to protect yourself from the RCE vulnerability (CVE-2021-38647).”
Even though Microsoft has introduced a Enhanced security validation on August 11, 2021, effectively laying out all the details necessary for threat actors to develop an exploit, the company only released a corrected version of the OMI software agent September 8, and CVEs weren’t awarded until a week later, as part of this month’s Patch Tuesday.
To make matters worse, there is no automatic update mechanism that Microsoft can use to update vulnerable agents on all Azure Linux machines, which means customers have to upgrade it manually to secure the points. termination against any incoming attack using OMIGOD exploits.
To manually update the OMI agent, you must: