Microsoft fixes critical bugs in secretly installed Azure Linux app

Microsoft has addressed four critical vulnerabilities collectively known as OMIGOD, found in the Open Management Infrastructure (OMI) software agent silently installed on Azure Linux machines accounting for more than half of Azure instances.

OMI is a software service for IT management with support for most UNIX systems and modern Linux platforms, used by multiple Azure services, including Open Management Suite (OMS), Azure Insights, Azure Automation.

These vulnerabilities were found by cloud security firm Wiz researchers Nir Ohfeld and Shir Tamari, who dubbed them OMIGOD.

“Problematically, this ‘secret’ agent is both widely used (because it is open source) and completely invisible to customers as its usage within Azure is completely undocumented,” Ohfeld said.

Millions of endpoints exposed to attacks

The researchers “conservatively estimate” that thousands of Azure customers and millions of endpoints are impacted by these security flaws:

• CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8/10)
• CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8/10)
• CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8/10)
• CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0/10)

All Azure customers with Linux machines running one of the following tools or services are at risk:

• Azure Automation
• Azure Automatic Update
• Azure Operations Management Suite (OMS)
• Azure Log Analytics
• Azure Configuration Management
• Azure Diagnostics

“When users enable any of these popular services, OMI is silently installed on their Virtual Machine, running at the highest privileges possible,” Ohfeld added. “This happens without customers’ explicit consent or knowledge. Users simply click agree to log collection during set-up and they have unknowingly opted in.”

Other Microsoft customers are also impacted by the OMIGOD flaws, given that the OMI agent can also be manually installed on-premise as it is built in the System Center for Linux, which is Microsoft’s server management tool.

“This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” Ohfeld added regarding the CVE-2021-38647 RCE bug. 

“With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.

“[T]his vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it.”

This is even more severe. The RCE is the simplest RCE you can ever imagine. Simply remove the auth header and you are root. remotely. on all machines. Is this really 2021? pic.twitter.com/iIHNyqgew4

— Ami Luttwak (@amiluttwak) September 14, 2021

How to secure your Azure Linux endpoint

“Microsoft released a patched OMI version (1.6.8.1). In addition, Microsoft advised customers to manually OMI, see the suggested steps by Microsoft here,” Wiz security researcher Nir Ohfeld said.

“If you have OMI listening on ports 5985, 5986, 1270 we advise limiting network access to those ports immediately in order to protect from the RCE vulnerability (CVE-2021-38647).”

Even though Microsoft introduced a Enhanced Security commit on August 11, 2021, effectively exposing all the details threat actors needed to develop an exploit, the company only released a patched OMI software agent version on September 8 and only assigned CVEs one week later, as part of this month’s Patch Tuesday. 

To make things worse, there is no auto-update mechanism Microsoft can use to update the vulnerable agents on all Azure Linux machines, which means that customers have to upgrade it manually to secure endpoints from any incoming attacks using OMIGOD exploits.

To manually update the OMI agent, you have to:

• Add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs

• You can then use your platform’s package tool to upgrade OMI (for example, sudo apt-get install omi or sudo yum install omi).