Open Management Infrastructure (OMI), which is a Microsoft open-source management tool has got critical vulnerabilities within them. These vulnerabilities are facilitating ways to attack some of the Microsoft Azure Cloud customers.
OMI is used by Certain Linux-based services within Microsoft Azure. This core critical remote code execution vulnerability called as “CVE-2021-38647” could allow cyber-attackers to take control of any of the vulnerable host.
The other privilege escalation vulnerabilities are CVE-2021-38648, CVE-2021-38645 and CVE-2021-38649. Collectively, these vulnerabilities are tagged OMIGOD.
Microsoft customers using Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, Azure Diagnostics and Azure Container Insights are at risk. Apart from these, OMI is also used in on-site data centres utilising Microsoft’s System Center for Linux.
Microsoft has identified multiple exploitation attempts as well. These attempts range from basic host enumeration, installing a cryptocurrency miner or file share, and attempted installations of the Mirai botnet.
One of the Microsoft OMIGOD advisories said, “Due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we are anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc),”.
It is said that most Azure services that use OMI do so without exposing the HTTP/S port but some Azure products, such as Configuration Management, does expose an HTTP/S port listening to OMI (typically port 5986) which means that any configuration where the HTTP/S listener is enabled could allow remote code execution.
Particularly, anyone with access to an endpoint running a vulnerable version (less than 1.6.8.1) of the OMI agent can execute arbitrary commands over an HTTP request without an authorisation header. This configuration facilitates the vulnerability CVE-2021-38647.
A cloud security company named “Wiz” uncovered the OMIGOD vulnerabilities last week. Wiz claims that over 65% of sampled Azure customers were exposed, and almost all unknowingly.
“Although widely used, OMI’s functions within Azure VMs are almost completely undocumented, and there are no clear guidelines for customers regarding how to check and/or upgrade existing OMI versions,” said Wiz’s Nir Ohfeld when asked.
Wiz also says that an exposed HTTP/S port is the “holy grail” for cyber-attackers.
While Microsoft publicised the OMIGOD vulnerabilities a week ago, many clients are not aware of the present risks or even that any of the risks exist because of the background nature of OMI in Azure.
Moreover, OMI runs within a client’s virtual infrastructure and as a rule, Microsoft does not consider itself responsible for the security within that infrastructure.
When prompted to comment, Lydia Leong, Distinguished VP and Analyst at consultancy Gartner, says it has been a bad week for Azure and Microsoft.
Leong said, “Cloud requires customers to trust what they cannot control,”. The security analyst reasons while publicity about vulnerabilities like OMIGOD may draw in further cyber-attackers, the need for transparency from providers like Microsoft is critical so that the clients can devise a way to safeguard themselves until a feasible solution is found.
“Cloud, is a highly complex software system, especially at a massive scale. To be honest, as humans, we are really bad at figuring out the risk of complex systems. But each time there’s a failure, a thousand outraged voices cry out, ‘How could they let this happen?’”
Microsoft has made a patch available for OMI to mitigate the current vulnerability now.