Azure OMIGOD !

A range of Vulnerabilities in Azure remain vulnerable to exploitation as customers required to apply the patch manually.

Dubbed OMIGOD, the vulnerabilities relate to the Open Manage Infrastructure agent that’s deployed when Azure users set up a Linux virtual machine in the cloud and enable certain Azure services. Attackers can use the four vulnerabilities to obtain root privileges and execute malicious code, including ransomware with file encryption.

One of the vulnerabilities is a bug requires no password. Rather than guessing a valid authentication token to insert into a fraudulent OMI web request, simply omitting all mention of the authentication token delivers access.

The vulnerabilities affect users of Azure services, including Automation, Automatic Update, Operations Management Suite, Log Analytics, Configuration Management, Diagnostics and Container Insights.

Microsoft has released the patch but the problem is that users may have to apply the patches themselves, even though the issue resides in Azure Linux installs. Many users may not be aware that they have OMI installed, since it’s installed when users add one of those Azure services.OMI is also independently installed on other Linux machines and is often used on-premises. So it’s not cloud only Vulnerability.

Management agents like OMI are part of the overall attack surface for a deployed system and as such need to be accounted for within the threat models associated with the application. Rather checking the application nature in isolation, deployment phase behaviour has to be considered. To understand their exposure against this vulnerability, enterprises need to know which assets have the OMI management function enabled and ensure that nothing is directly exposed to the internet.