Skip to content

This week in cloud security

Posted by: GuidePoint Security

2 min read

Published 9/22/2021, 9:00am

Microsoft warns of OMIGOD Azure vulnerabilities

Microsoft has issued guidance on four critical vulnerabilities on Azure Linux machines, which account for more than half the Azure instances. One of the vulnerabilities has an extremely high Common Vulnerability Scoring Systems (CVSS) rating of 9.8.

  • CVE-2021-38647 (CVSS: 9.8)—Unauthenticated Remote Code Execute (RCE) as root
  • CVE-2021-38648 (CVSS: 7.8)—Privilege Escalation
  • CVE-2021-38645 (CVSS: 7.8)—Privilege Escalation
  • CVE-2021-38649 (CVSS: 7.0)—Privilege Escalation

Dubbed “OMIGOD” by the researchers that discovered the bugs, the name is based on the Open Management Infrastructure (OMI) software agent “silently” installed on Linux-based Azure platforms when any one of several popular services is enabled, including Open Management Suite (OMS), Azure Insights, Azure Automation, Azure Automatic Update, Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics. 

Researchers describe the high-risk bug with a 9.8 severity rating as a “textbook RCE vulnerability” that you would expect to see in the 1990s. They note that it is highly unusual to discover a similar bug today that has the potential to expose millions of endpoints.

As of this writing, the bugs are currently being exploited to drop botnet and cryptomining malware. 

Part of the challenge for Azure users is that Microsoft introduced an Enhanced Security commit on August 11, exposing all the details a threat actor would need to create an OMIGOD exploit. Then, on September 8, Microsoft released a patched version of the OMI software agent but did not assign any CVEs until a week later, making it difficult for some customers to identify the bugs. 

Affected customers have also learned that there is currently no auto-update mechanism to correct the vulnerable agents on impacted Azure Linux machines. Instead–for the moment–customers are being asked to manually secure their endpoints, although Microsoft is in the process of rolling out security updates for cloud customers that have automatic updates enabled. 

Next Steps

To manually patch affected Azure systems, users can find instructions on the Microsoft Security Response Center (MSCR). Microsoft has also stated that “customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available” based on the schedule and directions found on the MSRC.

Organizations that need assistance with managing security on Azure systems are encouraged to work with Microsoft-certified cloud security experts that can conduct security scans and assist with any cloud engineering efforts.

Categories: Blog Cybersecurity

GuidePoint Security

Countering The Threat Of Spear-Phishing
With Spear-Phishing, many organizations feel like their tools will help them stop the attacks. This is true at some levels, […]
Download

Related Articles

View All

  • Security Awareness & Education
Countering The Threat Of Spear-Phishing
Read More < 1 min read
  • AI Security
Supporting Continuous Learning in AI Governance and Security
Posted by: Ed Dunnahoe
Read More 6 min read
  • Blog
Cybersecurity Awareness Month: Tackling the Unsustainable Skills Challenge in Cybersecurity and Observability
Posted by: Ben MartinMooney
Read More 3 min read