Azure drops vulnerable bots in customer environments by default

A little-known monitoring and management software for Linux virtual machines in Microsoft’s Azure cloud should be patched as soon as possible to avoid exploitation of critical and serious remote code execution and privilege escalation vulnerabilities, researchers warn.

Unbeknownst to Azure customers, Microsoft automatically deploys the open source Open Management Infrastructure agents for Linux instances, security firm Wiz said.

Abbreviated as OMI, the software agents for UNIX/Linux systems are similar to the Windows Management Infrastructure (WMI), leading Wiz to call the set of four vulnerabilities OMIGOD.

OMI is poorly documented, developed by a small team of 20 contributors and runs at the highest, root superuser privileges.

Wiz found a vulnerability with a severity score of 9.8 out of 10 that allows remote code execution that could be abused by ransomware raiders, for example.

The researchers estimate that thousands of Azure customers and millions of endpoints could be vulnerable to the bugs.

“This is a textbook RCE vulnerability that you would expect to see in the 90s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” Wiz wrote.

With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.”

Three other vulnerabilities can be abused for privilege escalation.

Users are vulnerable if they install any of the following services:

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics

Other Azure services that install OMI could be vulnerable as well.

Wiz warned that the OMI agents are used in Amazon Web Services and Google Cloud Platform as well, along with on-premises installations such as Microsoft’s System Center for Linux.

Microsoft has released patches for the OMIGOD vulnerabilities with the latest version 1.6.8.1 of OMI.