[TheRecord] Microsoft fixes OMIGOD bugs in secret Azure app

As part of its monthly Patch Tuesday security updates, Microsoft has patched a collection of four vulnerabilities in OMI, a mostly unknown application that the company has been silently installing on most Linux-based Azure virtual machines and related systems.

Called Open Management Infrastructure (OMI), the app is the Linux equivalent of Microsoft’s Windows Management Infrastructure (WMI), a service that collects data from local environments and synchronizes it with a central management server.

Unbeknownst to most Azure customers is that Microsoft silently installs OMI clients with all Linux-based Azure virtual machines.

The client runs with root privileges, and its role is to integrate the VM with centralized Microsoft management tools like the Open Management Suite (OMS), Azure Insights, Azure Automation, and others.

OMIGOD bug opens Azure environments to easy takeovers

In a report published on Tuesday, cloud security firm Wiz said it found a collection of four security flaws in the OMI client that could allow threat actors to hijack Azure Linux VMs.

Collectively tracked as OMIGOD, the four are detailed below:

CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8)CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)

Of the four, the first is the most serious issue, as it can allow a threat actor to take over an Azure Linux VM just by sending a malformed packet over the internet.

“This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” said Wiz security researcher Nir Ohfeld.

“With a single packet, an attacker can become root on a remote machine by simply removing the authentication header,” Ohfeld added.

“It’s that simple,” the researcher said.

Once inside a network, the attacker can repeat the attack on other nearby systems for a full network compromise, according to the Wiz team.

Image: Wiz

While CVE-2021-38647 is as bad as it gets, Ohfeld said there’s also a sunny side, as the ports through which this bug can be exploited are not exposed over the internet by default.

If you have OMI listening on ports 5985, 5986, 1270 we advise limiting network access to those ports immediately in order to protect from the RCE vulnerability (CVE-2021-38647).

Wiz security researcher Nir Ohfeld

But if customers disable their Azure environment firewall or allow connections to these ports, all their systems are vulnerable to attacks.

Furthermore, even if those ports aren’t enabled, attackers can still abuse the OMI client through the other three OMIGOD bugs by tricking an Azure user into opening or interacting with a malicious file that exploits any of the three bugs in order for the attacker’s code to gain root access.

No automatic patching mechanism

But while Microsoft has released patches for these four critical OMI vulnerabilities, Ohfeld said that there’s no built-in auto-update mechanism in the app, meaning that all Azure Linux VMs remain vulnerable to attacks unless each and every user manually updates the client themselves — something that’s probably not going to happen, mainly because users didn’t know the app was installed on their systems in the first place.

Customers who’d like to apply patches can download and install the OMI client v1.6.8.1 that was released last month on GitHub.

“I think that the most interesting thing here is that the RCE is really easy to exploit,” Alon Schindel, threat research lead for Wiz, told The Record in a conversation today. “We’ve already seen some people on Twitter that were able to do so.”

Here’s me exploiting it remotely on a newly provisioned (today) Azure VM with a single curl request, it’s essentially ended up as a zero day as it hasn’t been fixed in Azure. pic.twitter.com/WXWAxE2QtW

— Kevin Beaumont (@GossiTheDog) September 15, 2021

The post Microsoft fixes OMIGOD bugs in secret Azure app appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Critical Flaw in Pac-Resolver NPM Package Affects 290,000 Repositories

All posts, Security Week

A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[NCSC-NL] One Conference 2020 cancelled

All posts, NCSC-NL

After intensive consultation with all partners involved, we have decided to cancel the upcoming edition of the One Conference, which was scheduled on 29 and 30 September of this year. This cancellation was made in anticipation of the current prohibition of organizing events until 1 September in response to the current corona situation. We are […]

Read More

[ZDNet] Tech giants say government cyber assistance would simply cause more problems

All posts, ZDNet

Google, Microsoft, AWS, and Atlassian all believe they are best placed to respond to cyber incidents and that installing software from the Australian government would only increase the risk in their respective platforms and systems. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.