Microsoft this week patched four vulnerabilities in Open Management Infrastructure (OMI), a widely used but little-known software agent embedded in many commonly used Azure services.
The Wiz Research Team discovered these flaws, which include remote code execution bug CVE-2021-38647 and privilege escalation vulnerabilities CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649. Most large organizations using Azure are affected by the flaws, which the team has collectively dubbed OMIGOD.
Open source OMI is the UNIX/Linux equivalent of Windows Management Instrumentation (WMI) and is deployed on many Linux virtual machines in Azure, enabling users to manage configurations across remote and local environments and collect statistics. It's extensively used in many Azure services, though organizations using OMI often don't know it's there – and may not know they need to patch it now.
"Users usually have no clue about OMI," says Wiz research lead Shir Tamari. "When we started this research, we asked people if they were familiar with OMI … no one knows what it is."
When an organization sets up a Linux virtual machine (VM) in its cloud and enables any of these services, OMI is silently installed on its VM and runs at the highest privilege. There is no clear documentation in Azure on how OMI is deployed, monitored, and updated, researchers note.
These vulnerabilities affect several different services within Azure that silently use OMI, such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics. The team notes this is only a partial list and encourages readers to contact them if they know of more services using OMI.
"We conservatively estimate that thousands of Azure customers and millions of endpoints are affected," the Wiz researchers wrote in a blog post on their findings. "In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk."
The flaw that stands out most is CVE-2021-38647, a "textbook RCE vulnerability" that could allow an attacker to become root on a remote machine with a single packet by removing the authentication header. Remote takeover is possible when OMI exposes the HTTPS management port externally (5986/5985/1270). This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM).
"Thanks to the combination of a simple conditional statement coding mistake and an uninitialized authentication struct, any request without an Authorization header has its privileges default to uid=0, gid=0, which is root," the research team wrote.
Tamari calls the vulnerability, which has a CVSS 3.0 score of 9.8, "very simple to exploit – like, ridiculously easy to exploit," and notes the team has already seen reports across social media from people who have exploited it. He worries that vulnerable targets could be compromised within the next few days, though he notes if a user has a firewall enabled, it's impossible for anyone on the Internet to connect to a vulnerable machine and communicate with the OMI.
OMI is updated through the Azure service that installed it, Wiz researchers say. They urge users to verify their environment is patched and that they're running the latest version of OMI, 220.127.116.11. Wiz also warns that System Center deployments of OMI are at higher risk because the Linux agents have been deprecated; users may need to manually update the OMI agent.
While OMI itself has been updated, it seems the Azure services still need an update. Wiz researchers provided an update as of Sept. 15, 10 a.m. EST, noting that affected Azure services have not yet been fixed, and they still deploy vulnerable OMIs when service are enabled on new machines.