Flash Notice: Microsoft Azure OMIGOD Vulnerability

September 23, 2021

Overview of OMIGOD AZure Vulnerability

The researchers at Cloud security company, Wiz, disclosed new vulnerabilities that affect Microsoft Azure. Named by Wiz, OMIGOD is the second Azure vulnerability Wiz has discovered in two months. The source of the exploit is a software agent called Open Management Infrastructure (OMI).

OMI is an open-source project that’s sponsored by Microsoft, a Windows Management Infrastructure for UNIX and Linux systems. Because OMI is easy to use, it’s the open-source of choice and has dominated Azure for the past few years.
The problem is that the OMI agent gets automatically deployed without the customers' knowledge when they enable certain Azure services after setting up a Linux virtual machine in their cloud. This means there are four vulnerabilities an attacker can easily exploit. According to Wiz, the vulnerabilities are as follows:

CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8)
CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)
CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)
CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)

If these vulnerabilities are not patched, attackers could use OMI to gain root access on a remote machine and leverage a remote code execution. So far, over 65% of new users are at risk of dangerous cybersecurity crimes, such as having their files encrypted and held ransom. Cyber intelligence researchers are saying that OMIGOD is a textbook cyber security threat from the 90’s and it’s unusual to see a RCE vulnerability in 2021.

On Tuesday, Microsoft issued a patch for OMIGOD, however; it’s not installed by default by Microsoft for new Linux servers. If you want the patched version, you will need to manually update Linux to version 1.6.8.1.

Azure Services Affected by OMIGOD

Azure Automation
Azure Automatic Update
Azure Operations Management Suite (OMS)
Azure Log Analytics
Azure Configuration Management
Azure Diagnostics

How Avertium is Protecting Our Clients

Avertium is raising awareness for this “hidden” vulnerable service.

Avertium's Recommendations:

Manual Fix Instructions - Version 1.6.8.1 is the patched version.

Add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs
Use your platform's package tool to upgrade OMI (for example, sudo apt-get install omi or sudo yum install omi).
For more information refer to GitHub - microsoft/omi: Open Management Infrastructure.

If you have OMI listening on ports 5985, 5986, 1270, it’s advised that you limit network access to those ports as soon as possible to protect from the RCE vulnerability (CVE-2021-38647).