Threat Watch

Researchers Expose Azure “OMIGOD” Open Management Interface 0-Days

Four critical vulnerabilities were recently discovered in the Open Management Interface (OMI) agent in many Azure services that could result in remote code execution and privilege escalation. OMI is Microsoft’s collaboration with The Open Group to get visibility into their Linux infrastructure in VR, pulling telemetry. What is unfortunate about this issue is many customers are completely unaware this agent exists on their platforms. Wiz had to say this about the issue, “We named this quartet of zero-days “OMIGOD” because that was our reaction when we discovered them. We conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk.” Affected services and tools include the following:

  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics
  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)

The attack surface is quite interesting. This tool runs with root privileges allowing “…communication with a UNIX socket or an HTTP API when configured to allow external access”. To note, when exposed to the internet, these flaws allow attackers root access and the ability to move laterally within the Azure environment. CVE-2021-38645, CVE-2021-38647, CVE-2021-38638, and CVE-2021-38649 have all been patched in the latest “Patch Tuesday” release.

ANALYST NOTES

Binary Defense researchers are treating this as a critical issue and it is recommended that businesses running Azure services do the same and apply patches as soon as possible. Cloud infrastructure is gaining focus of threat actors as the realization sets in of just how much sensitive data is available if a compromise is successful. As stated above, the Binary Defense Threat Hunt team is hard at work creating detections to assist in the hunt. NetFlow visibility is also important as one of the techniques involves simply removing the authentication header from a packet, resulting in root privileges. It is recommended to supplement your security teams with a proactive defense, multiplying the chances of stopping a compromise before the incident worsens.

https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution