Updated: Nov 30, 2021
One of Microsoft's products is Linux virtual machines running on its Azure cloud. To manage these virtual machines, Microsoft installs an open source management tool called OMI, which stands for Open Management Infrastructure. OMI is an open-source project that’s sponsored by Microsoft, a Windows Management Infrastructure for UNIX and Linux systems. Because OMI is easy to use, it’s the open-source of choice and has dominated Azure for the past few years.
At risk are Microsoft customers using Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, Azure Diagnostics and Azure Container Insights. OMI is also used in on-site data centres utilising Microsoft’s System Center for Linux. Microsoft has identified multiple exploitation attempts. These range from basic host enumeration, attempts to install a cryptocurrency miner or file share, and attempted installations of the Mirai botnet.
In particular, anyone with access to an endpoint running a vulnerable version (less than 126.96.36.199) of the OMI agent can execute arbitrary commands over an HTTP request without an authorisation header. This configuration facilitates the vulnerability CVE-2021-38647. Cloud security company Wiz uncovered the OMIGOD vulnerabilities last week. Wiz says over 65% of sampled Azure customers were exposed, and almost all unknowingly.
The worst is that OMI is deployed inside customers' virtual machines by Microsoft, but most customers won't even know it's there. There's no clear documentation in Azure about the deployment, monitoring and updating of OMI. Microsoft has released a patch, but it's up to customers to find the affected systems and install the patch.
Azure Services Affected by OMIGOD:
Azure Automatic Update
Azure Operations Management Suite (OMS)
Azure Log Analytics
Azure Configuration Management
Wiz researchers discovered four critical vulnerabilities in OMI, which can be used to remotely execute code within the network with a single request and to escalate to root privileges. Also, researchers from Wiz found a new vulnerability that allows Azure users to access cloud databases of other users, breaking the principle of secure multitenancy. They dubbed it ChaosDB.
Wiz has released an OMIGOD identification and remediation checklist to help companies address the issue. Microsoft has also released it's own guidance to help customers address the OMIGOD vulnerability. Unfortunately, not everyone got the memo or installed the patches before hackers got wind of the vulnerability.
The list of flaws, collectively called OMIGOD, impact a software agent called Open Management Infrastructure that’s automatically deployed in many Azure services –
CVE-2021-38647 (CVSS score: 9.8) – Open Management Infrastructure Remote Code Execution Vulnerability
CVE-2021-38648 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability
CVE-2021-38645 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability
CVE-2021-38649 (CVSS score: 7.0) – Open Management Infrastructure Elevation of Privilege Vulnerability