Staff Writer
Critical vulnerabilities within a Microsoft open-source management tool called Open Management Infrastructure (OMI) are seeing bad actors attack some Microsoft Azure Cloud customers.
The core critical remote code execution vulnerability, CVE-2021-38647, could allow cyber-attackers to take control of the vulnerable host. Certain Linux-based services within Microsoft Azure use OMI.
The other vulnerabilities; CVE-2021-38648, CVE-2021-38645 and CVE-2021-38649, are privilege escalation vulnerabilities. Collectively, the vulnerabilities are tagged OMIGOD.
At risk are Microsoft customers using Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, Azure Diagnostics and Azure Container Insights. OMI is also used in on-site data centres utilising Microsoft’s System Center for Linux.
Microsoft has identified multiple exploitation attempts. These range from basic host enumeration, attempts to install a cryptocurrency miner or file share, and attempted installations of the Mirai botnet.
“Due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we are anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc),” reads a Microsoft OMIGOD advisory.
Saying most Azure services that use OMI do so without exposing the HTTP/S port, some Azure products, such as Configuration Management, does expose an HTTP/S port listening to OMI (typically port 5986). The configuration where the HTTP/S listener is enabled could allow remote code execution.
In particular, anyone with access to an endpoint running a vulnerable version (less than 1.6.8.1) of the OMI agent can execute arbitrary commands over an HTTP request without an authorisation header. This configuration facilitates the vulnerability CVE-2021-38647.
Cloud security company Wiz uncovered the OMIGOD vulnerabilities last week. Wiz says over 65% of sampled Azure customers were exposed, and almost all unknowingly.
“Although widely used, OMI’s functions within Azure VMs are almost completely undocumented, and there are no clear guidelines for customers regarding how to check and/or upgrade existing OMI versions,” said Wiz’s Nir Ohfeld.
Wiz says an exposed HTTP/S port is the “holy grail” for cyber-attackers.
While Microsoft publicised the OMIGOD vulnerabilities a week ago, the background nature of OMI in Azure means many clients are not aware of the risks or even that it exists.
Further, OMI runs within a client’s virtual infrastructure. As a rule, Microsoft does not consider itself responsible for the security within that infrastructure.
Lydia Leong, Distinguished VP and Analyst at consultancy Gartner, says it has been a bad week for Azure and Microsoft.
“Cloud requires customers to trust what they cannot control,” she says. The security analyst argues while publicity about vulnerabilities like OMIGOD may draw in further bad actors, the need for transparency from providers like Microsoft is critical.
“Cloud, especially at a massive scale, is a highly complex software system. As humans, we are really bad at figuring out the risk of complex systems. And each time there’s a failure, a thousand outraged voices cry out, ‘How could they let this happen?’”
Microsoft has made a patch available for OMI to mitigate the current vulnerability.