Reportedly simple to execute, the attack targets a vulnerability in Open Management Infrastructure (OMI) software preloaded on all Azure Linux virtual machines. Updates must be applied manually.
What’s the nature of the vulnerability?
Microsoft in a recent Patch Tuesday addressed several CVEs, to include several related to the Open Management Infrastructure (OMI) vulnerability commonly known as OMIGOD.
Conservative estimates for this particular vulnerability suggest potentially thousands of Azure customers and millions of endpoints are at risk of attack without patching the issue.
OMI itself is an open-source project written in C that is seen in many Azure services. Notably, the default standalone install, as well as SCOM and Azure Config Management, enable the vulnerable HTTPS ports (listed below).
While the primary vulnerability exploited is CVE 2021-38647, the associated CVEs (listed below) can be used in concert to similarly escalate privileges on OMI-enabled machines.
At the time of writing, this issue is primarily limited to Linux installations, although organizations using Microsoft System Center (Windows Server 2019 and later) that manage Linux hosts within them also utilize OMI.
At the time of writing, no attacks have been observed in the wild.
How is the vulnerability exploited?
When a customer builds a cloud-based Linux virtual machine, OMI is deployed by default and enabled in concert with several Azure services.
By crafting and sending a packet via HTTPS to a port listening to OMI, it is possible for an attacker to achieve Remote Code Execution (RCE).
This attack is noted as being particularly simple to execute, with an attacker only needing to remove the authentication header of the packet.
What’s at risk?
The exploitation of this vulnerability allows for an attacker to achieve root access on a remote machine.
This is further compounded by the possibility for an attacker to further utilize this for lateral movement in an Azure environment.
As a result, this represents a so-called “holy grail”, since the simple attack enables initial access, effective super user access and mobility within the network.
While the default firewall rules for Azure limit this vulnerability to only to the victim’s internal networks, this still represents a lethal threat to any security posture.
- Open Management Interface (prior to 220.127.116.11)
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
- Azure Container Insights
NOTE: The Wiz Research Team notes this as being only a partial list
- CVE-2021-38647 – Unauthenticated RCE as root (Severity 9.8)
- CVE-2021-38648 – Privilege Escalation Vulnerability (Severity 7.8)
- CVE-2021-38645 – Privilege Escalation Vulnerability (Severity 7.8)
- CVE-2021-38649 – Privilege Escalation Vulnerability (Severity 7.0)
What can I do to protect against this vulnerability?
Microsoft has released a patch for OMI (v18.104.22.168) to mitigate the exploitation of CVE-2021-38647 and CVE-2021-38648. Due to procedural issues, this patch must be installed manually.
They also recommend restricting OMI listening access on ports 5985, 5986, and 1270. Specifically, Azure Configuration Management uses the HTTPS port 5986 (WinRM port), which enables the RCE vulnerability found in CVE 38647.
Notably, the Wiz Research Team states that most Azure services using OMI deploy without enabling HTTPS port 5986.
OMIGOD vulnerabilities expose thousands of Azure users to hack
OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers
OMIGOD: How to Automatically Detect and Fix Microsoft Azure’s New OMI Vulnerability
‘OMIGOD’ vulnerabilities put Azure customers at risk
Security researchers at Wiz discover another major Azure vulnerability
Microsoft fixes OMIGOD bugs in secret Azure app