On Tuesday, Microsoft released several security updates for bug that could allow attackers to modify the permissions of Azure cloud customers and take over vulnerable systems.
Researchers from Wiz have dubbed the critical flaws “OMIGOD” because the issues are more typical for the 90’s, and strange to see in 2021. The flaws affect the operations of Open Management Infrastructure (OMI) in many Azure services:
- CVE-2021-38647 – Open Management Infrastructure Remote Code Execution Vulnerability
- CVE-2021-38648 – Open Management Infrastructure Elevation of Privilege Vulnerability
- CVE-2021-38645 – Open Management Infrastructure Elevation of Privilege Vulnerability
- CVE-2021-38649 – Open Management Infrastructure Elevation of Privilege Vulnerability
Open Management Infrastructure is an open-source framework analogous to Windows Management Infrastructure (WMI) that enables the management of various Linux and Unix systems. It permits monitoring, inventory management, and syncing configurations across IT environments in such systems as CentOS, Oracle Linux, SUSE Linux, Debian, Red Hat Enterprise Linux Server, and Ubuntu.
Customers with Linux machines running the following apps are at risk of exploitation:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
By default, all popular apps and services turned on by users automatically install themselves on their virtual machines. It happens without their consent or knowledge.
Aside from Azure cloud customers, other Microsoft users are affected by this issue since the Office Management Initiative can be installed on any Linux machine.
The vulnerability in the OMI agent could allow remote attackers to execute code on target machines without requiring the user to have the highest privileges. This issue could also enable attackers to mount sophisticated attacks.
A remote code execution issue stemming from an internet-exposed HTTPS port like 5986, 5985, or 1270 is the most critical of the four vulnerabilities. It can allow attackers to access a targeted environment without requiring an authenticated account.
“This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” Ohfeld said. “With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.”
OMI is one example of a ‘hidden’ software agent that comes pre-installed and runs in the background in cloud environments. It’s worth noting that these agents are available not just in Azure but also in Google Cloud Platform and Amazon Web Services, Ohfeld noted.