OMIGOD! Microsoft has fixed some critical bugs in a secretly installed Azure Linux app
Microsoft has managed to address four critical vulnerabilities that are collectively known as OMIGOD. These vulnerabilities were found in the Open Management Infrastructure (OMI) software agent that is silently installed on Azure Linus machines and accounts for more than half of Azure instances, as Bleeping Computer reported. OMI is a software service for IT management and supports most UNIX systems and modern Linux platforms. It is used by multiple Azure services including Open Management Suite (OMS), Azure Insights, Azure Automation, and others.
These four vulnerabilities that Microsoft addressed were found by cloud security firm Wiz researchers Nir Ohfeld and Shir Tamari who named them “OMIGOD”. "Problematically, this 'secret' agent is both widely used (because it is open source) and completely invisible to customers as its usage within Azure is completely undocumented," Ohfeld said.
Ohfeld and Tamari “conservatively estimate” that at least thousands of Azure customers and millions of endpoints have been impacted by these security flaws:
CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8/10)
CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8/10)
CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8/10)
CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0/10)
According to reports, all Azure customers with Linux machines running one of the following tools or services are at risk:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
"When users enable any of these popular services, OMI is silently installed on their Virtual Machine, running at the highest privileges possible," Ohfeld said adding that "this happens without customers’ explicit consent or knowledge. Users simply click agree to log collection during set-up and they have unknowingly opted in."
Other Microsoft customers have also been and can be impacted by the OMIGOD flaws since the OMI agent “can also be manually installed on-premise as it is built in the System Center for Linux, which is Microsoft's server management tool”.
"This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints," Ohfeld explained regarding the CVE-2021-38647 RCE bug.
"With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple. [T]his vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it,” Ohfeld said.