Overview of OMIGOD AZure Vulnerability

The researchers at Cloud security company, Wiz, disclosed new vulnerabilities that affect Microsoft Azure. Named by Wiz, OMIGOD is the second Azure vulnerability Wiz has discovered in two months. The source of the exploit is a software agent called Open Management Infrastructure (OMI).

OMI is an open-source project that’s sponsored by Microsoft, a Windows Management Infrastructure for UNIX and Linux systems. Because OMI is easy to use, it’s the open-source of choice and has dominated Azure for the past few years.
The problem is that the OMI agent gets automatically deployed without the customers' knowledge when they enable certain Azure services after setting up a Linux virtual machine in their cloud. This means there are four vulnerabilities an attacker can easily exploit. According to Wiz, the vulnerabilities are as follows:

If these vulnerabilities are not patched, attackers could use OMI to gain root access on a remote machine and leverage a remote code execution. So far, over 65% of new users are at risk of dangerous cybersecurity crimes, such as having their files encrypted and held ransom. Cyber intelligence researchers are saying that OMIGOD is a textbook cyber security threat from the 90’s and it’s unusual to see a RCE vulnerability in 2021.

On Tuesday, Microsoft issued a patch for OMIGOD, however; it’s not installed by default by Microsoft for new Linux servers. If you want the patched version, you will need to manually update Linux to version 1.6.8.1.

 

Azure Services Affected by OMIGOD

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics

How Avertium is Protecting Our Clients 

Avertium is raising awareness for this “hidden” vulnerable service.

Avertium's Recommendations: 

Manual Fix Instructions - Version 1.6.8.1 is the patched version.

If you have OMI listening on ports 5985, 5986, 1270, it’s advised that you limit network access to those ports as soon as possible to protect from the RCE vulnerability (CVE-2021-38647). 

 

References

https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution 

https://arstechnica.com/information-technology/2021/09/security-researchers-at-wiz-discover-another-major-azure-vulnerability/ 

https://www.zdnet.com/article/omigod-azure-users-running-linux-vms-need-to-update-now/

 

CATCH UP ON OUR LATEST FLASH NOTICES: MICROSOFT ISSUES WARNING FOR REMOTE CODE EXECUTION VULNERABILITY