Four critical vulnerabilities were recently discovered in the Open Management Interface (OMI) agent in many Azure services that could result in remote code execution and privilege escalation. OMI is Microsoft’s collaboration with The Open Group to get visibility into their Linux infrastructure in VR, pulling telemetry. What is unfortunate about this issue is many customers are completely unaware this agent exists on their platforms. Wiz had to say this about the issue, “We named this quartet of zero-days “OMIGOD” because that was our reaction when we discovered them. We conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk.” Affected services and tools include the following:
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
The attack surface is quite interesting. This tool runs with root privileges allowing “…communication with a UNIX socket or an HTTP API when configured to allow external access”. To note, when exposed to the internet, these flaws allow attackers root access and the ability to move laterally within the Azure environment. CVE-2021-38645, CVE-2021-38647, CVE-2021-38638, and CVE-2021-38649 have all been patched in the latest “Patch Tuesday” release.