Four security vulnerabilities, recently addressed in Microsoft Windows Patch Tuesday for September, could allow attackers to target Azure cloud customers. The flaws could enable escalation of privilege and remote takeover attacks on exposed systems.
OMIGOD Vulnerabilities Explained: CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, CVE-2021-38649
The four vulnerabilities have been collectively called OMIGOD by Wiz security researchers, who discovered them. “Wiz’s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open-source code, particularly for customers of cloud computing services,” the report said.
What creates the issue? The fact that the OMI agent is silently deployed without the customer’s knowledge:
When customers set up a Linux virtual machine in their cloud, the OMI agent is automatically deployed without their knowledge when they enable certain Azure services. Unless a patch is applied, attackers can easily exploit these four vulnerabilities to escalate to root privileges and remotely execute malicious code (for instance, encrypting files for ransom).
The researchers decided to name the flaws OMIGOD precisely because this was their reaction upon discovering them. The conservative estimate is that thousands of Azure customers and millions of endpoints are exposed. In a small sample of Azure tenants the team analyzed, over 65% were unknowingly at risk.
In other words, the severe issues affect Open Management Infrastructure (OMI), a software agent automatically deployed in a number of Azure services. Here is the list of the OMIGOD flaws, listed according to the CVSS score:
- CVE-2021-38647, rated with a CVSS score of 9.8, is a remote code execution vulnerability that doesn’t require authentication (Unauthenticated RCE as root);
- CVE-2021-38648, rated with a CVSS score of 7.8, allows elevation of privilege;
- CVE-2021-38645, rated with a CVSS score of 7.8, allows elevation of privilege;
- CVE-2021-38649, rated with a CVSS score of 7.0, allows elevation of privilege.
What is Open Management Infrastructure (OMI)?
OMI is an open-source product equivalent to Windows Management Instructure (WMI). However, it is designed for Linux and UNIX systems, including CentOS, Oracle Linux, SUSE, Ubuntu, Debian, and Red Hat Enterprise Linux servers. The tool enables monitoring, inventory managements, and synchronization across various IT environments.
Who is vulnerable to the four OMIGOD Flaws?
According to Wiz, Azure customers on Linux machines are vulnerable if they use some specific services. This could mean more than half of all Azure instances, as per Microsoft. Here’s the list of services exposing Azure users:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
It should be noted that this list is only partial. The Wiz team urges customers who suspect they could be vulnerable to contact them via email for further information.
“In addition to Azure cloud customers, other Microsoft customers are affected since OMI can be independently installed on any Linux machine and is frequently used on-premise. For example, OMI is built in System Center for Linux, Microsoft’s server management solution,” the report noted.