Microsoft Azure OMI Vulnerabilities, Dubbed 'OMIGOD,' Still Not Patched
Microsoft's Open Management Infrastructure (OMI) vulnerabilities, disclosed with this week's update Tuesday patch releases, demonstrated yet another hole in Azure security.
The OMI vulnerabilities were responsibly disclosed to Microsoft by security researchers at Wiz, a Tel Aviv- and Palo Alto, Calif.-based maker of cloud security solutions. They further described the OMI vulnerabilities in this Sept. 14 Wiz research blog post.
The Wiz researchers are no strangers to Microsoft, as many of them had worked at Microsoft following its 2015 acquisition of Adallom.
"Wiz was founded in January 2020 by the former leads of Microsoft's Cloud Security Group and the founding team of Adallom, which was acquired by Microsoft in 2015 for $320 million," Wiz explained, in a recent press release.
Azure Now Patched
Update 9/29: Microsoft announced on Sept. 29 that it had patched Azure for the OMI vulnerabilities, but on-premises users of OMI below version 1.6.8-1 still must manually update their agents.
Here's how that notion was expressed:
Microsoft has patched all agents installed via extensions (cloud environments). Instances where the Agent was installed as shell bundles, on-prem or physical hardware you manage, your IT organization will have to manually update the agents.
Scripts to check for vulnerable OMI instances were included in the announcement.
Microsoft's Sept. 29 announcement was aimed at Azure Monitor users. It included a note that "the OMS Agent is in process of being deprecated and will no longer be supported by Microsoft as of August 2024." The Operations Management Suite (OMS) Agent for Linux is also known as the "Log Analytics agent for Linux." It enables "rich and real-time analytics for operational data (Syslog, performance, alerts, inventory) from Linux servers, Docker containers and monitoring tools like Nagios, Zabbix and System Center," according to its GitHub description.
Azure Security Problems
Last month, Wiz exposed a security flaw in Jupyter Notebook that gave access to Azure Cosmos DB accounts.
This week, Wiz described problems with Microsoft's use of the open source OMI across its Azure services. The simplicity of the attacks leveraging the OMI flaws caused Wiz researchers to declare, "Oh my God," or OMIGOD for short, which is now a Twitter hashtag, namely #OMIGOD.
There are four OMI vulnerabilities getting patched with Microsoft's September security release, according to Wiz. They are:
The OMI security vulnerabilities cut across multiple Azure services. Here's a partial list of the affected software, according to Wiz:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
Microsoft uses OMI, open source software overseen by The Open Group, in these Azure services, but its "agent runs as root with the highest privileges" and "any user can communicate with it using a UNIX socket or via an HTTP API when configured to allow external access," the Wiz explained. External users with low privileges can simply execute code remotely on a targeted machine.
Wiz researchers found that attackers can just remove the authentication header to gain root access:
This is a textbook RCE vulnerability that you would expect to see in the 90's -- it's highly unusual to have one crop up in 2021 that can expose millions of endpoints. With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It's that simple.
Even though open source code, such as OMI, is thought to get seen by many experts, it still can be a "source of risk," Wiz noted. Customers using cloud services dependent on flawed open source software likely will be unwitting, though. Wiz suggested that OMI could be just one of many vulnerable "secret" software agents lurking in cloud services environments.
Systems are patched against the vulnerabilities when they are running the latest OMI version, which is version 22.214.171.124, Wiz indicated. However, manual updates may be required for organizations using System Center for Linux:
System Center deployments of OMI are at greater risk because the Linux agents have been deprecated. Customers still using System Center with OMI-based Linux may need to manually update the OMI agent. We'll update this post with more information as it becomes available.
Microsoft's Embrace of OMI
Microsoft describes OMI as "an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards," according to its GitHub page.
OMI essentially solved the problem of getting management information for applications in a standardized way. Microsoft explained that point almost a decade ago in this "Open Management Infrastructure" blog post.
The Common Information Model (CIM) was a sophisticated management model to use, but it was based on Distributed Management Task Force (DMTF) standards that were "a challenge to implement." Microsoft built its CIM Object Manager (OMI) to better implement DMTF standards. The Open Group later released the source code for OMI under the Apache 2 open source license.
OMI's security had been considered one of its strong points when Microsoft had described it back then.
Azure Not Patched
Despite Microsoft's September patch release with OMI fixes, Azure services are still subject to the OMI vulnerabilities, according to Wiz. Here's its current statement to that effect:
Update September 15, 10:00AM EST - As of now, the affected Azure services (see list below) haven't been fixed. Vulnerable OMI versions are still deployed to new Linux VMs when enabling these services.
Security researcher Kevin Beaumont, formerly of Microsoft, commented on the OMIGOD vulnerabilities in a Twitter post.
"The good thing about #OMIGOD, a vulnerability where no password is needed to remotely execute code on Azure VMs, is MS announced it the same day as going passwordless!" he wrote.
Beaumont was referring to Microsoft's announcement on Wednesday that consumer Microsoft account users now have the option to dispense with passwords.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.