This week in cloud security
Posted by: GuidePoint Security
Published 9/22/2021, 9:00am
Microsoft warns of OMIGOD Azure vulnerabilities
Microsoft has issued guidance on four critical vulnerabilities on Azure Linux machines, which account for more than half the Azure instances. One of the vulnerabilities has an extremely high Common Vulnerability Scoring Systems (CVSS) rating of 9.8.
- CVE-2021-38647 (CVSS: 9.8)—Unauthenticated Remote Code Execute (RCE) as root
- CVE-2021-38648 (CVSS: 7.8)—Privilege Escalation
- CVE-2021-38645 (CVSS: 7.8)—Privilege Escalation
- CVE-2021-38649 (CVSS: 7.0)—Privilege Escalation
Dubbed “OMIGOD” by the researchers that discovered the bugs, the name is based on the Open Management Infrastructure (OMI) software agent “silently” installed on Linux-based Azure platforms when any one of several popular services is enabled, including Open Management Suite (OMS), Azure Insights, Azure Automation, Azure Automatic Update, Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics.
Researchers describe the high-risk bug with a 9.8 severity rating as a “textbook RCE vulnerability” that you would expect to see in the 1990s. They note that it is highly unusual to discover a similar bug today that has the potential to expose millions of endpoints.
As of this writing, the bugs are currently being exploited to drop botnet and cryptomining malware.
Part of the challenge for Azure users is that Microsoft introduced an Enhanced Security commit on August 11, exposing all the details a threat actor would need to create an OMIGOD exploit. Then, on September 8, Microsoft released a patched version of the OMI software agent but did not assign any CVEs until a week later, making it difficult for some customers to identify the bugs.
Affected customers have also learned that there is currently no auto-update mechanism to correct the vulnerable agents on impacted Azure Linux machines. Instead–for the moment–customers are being asked to manually secure their endpoints, although Microsoft is in the process of rolling out security updates for cloud customers that have automatic updates enabled.
Next Steps
To manually patch affected Azure systems, users can find instructions on the Microsoft Security Response Center (MSCR). Microsoft has also stated that “customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available” based on the schedule and directions found on the MSRC.
Organizations that need assistance with managing security on Azure systems are encouraged to work with Microsoft-certified cloud security experts that can conduct security scans and assist with any cloud engineering efforts.
GuidePoint Security