Microsoft has tracked four critical vulnerabilities collectively called OMIGOD which are discovered in the Open Management Infrastructure (OMI) software agent quietly installed on Azure Linux machines computing for more than half of the Azure precedents.
OMI is a software service for IT management with support for most UNIX systems and modern Linux platforms, utilized by multiple Azure services, including an Open Management Suite (OMS), Azure Insights, and Azure Automation.
All these vulnerabilities were discovered by cloud security firm Wiz researchers Nir Ohfeld and Shir Tamari, who named them OMIGOD. “Mistakenly, this ‘secret’ agent is both broadly utilized (because it is open source) and completely unseen to the customers as it management with Azure is completely undocumented.”
Over Millions of Endpoints are exposed to the Attacks
The investigators “secretly conclude” that thousands of Azure customers and millions of endpoints are affected by the following security flaws:
- CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8/10)
- CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8/10)
- CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8/10)
- CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0/10)
All the Azure customers with Linux machines functioning one of the following tools or services are at risk:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
“When users allow any of these popular services, OMI is silently installed on their Virtual Machine, functioning at the highest rights possible.” This happens without customers’ exact consent or knowledge. The user simply clicks on agree to log collection during the set-up and they have unknowingly opted in.
Various Microsoft customers are also affected by the OMIGOD bugs, given that the OMI agent can also be manually installed on-premise as it is designed in the System Center for Linux, which is Microsoft’s server management tool.
“This is a textbook RCE vulnerability that you would except to see in the 90’s —it’s highly unusual to have one crop up in 2021 that can reveal millions of endpoints.” “With a single packet, a threat actor can become root on a remote machine by simply removing the authentication header. It’s that simple.”
“This vulnerability can be also utilized by the threat actors to obtain the primary access to a target azure environment and then move laterally within it.”
How to Protect Your Azure Linux Endpoints?
Microsoft released a patched OMI version (1.6.8.1). Additionally, Microsoft recommends customers to manually OMI. If one of you has the OMI listening on ports 5985, 5986, 1270 we suggest limiting network access to those ports immediately to secure from the RCE vulnerability (CVE-2021-38647).
Although Microsoft introduced an Enhanced Security Commit on August 11, 2021, effectively revealing all the details threat actor required to develop and exploit, the organization only released a patched OMI software agent version on September 8 and only assigned CVEs one week later, as part of this month’s Patch Tuesday.
To make things worse, there is no auto-update mechanism Microsoft can use to update the vulnerable agents on all the Azure Linux machines, which means that the users have to upgrade it manually to protect endpoints from any incoming attacks using OMIGOD exploits.
To manually update the OMI agent, you have to follow these steps:
- Add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs
- You can then use your platform’s package tool to upgrade OMI (for example, sudo apt-get install omi or sudo yum install omi).
