Microsoft Azure users running Linux VMs in the company’s Azure cloud need to take action to protect themselves against the four “OMIGOD” bugs in the Open Management Infrastructure (OMI) framework, because Microsoft hasn’t raced to do it for them.
As The Register outlined in our report on this month’s Patch Tuesday release, Microsoft included fixes for flaws security outfit Wiz spotted in OMI. Wiz named the four flaws “OMIGOD” because they are jaw-droppers.
The least virulent of the flaws is rated 7/10 on the Common Vulnerability Scoring System. The worst is rated critical at 9.8/10.
Complicating matters is that running OMI is not something Azure users actively choose.
As Wiz explained: “When customers set up a Linux virtual machine in [Azure], the OMI agent is automatically deployed without their knowledge when they enable certain Azure services.
“Unless a patch is applied, attackers can easily exploit these four vulnerabilities to escalate to root privileges and remotely execute malicious code (for instance, encrypting files for ransom).”
Faced with that threat, it seems reasonable to expect that Microsoft would fix the OMI agents it deploys and update VMs running vulnerable versions. That’s the sort of thing cloud operators usually do – and do quietly before flaws are made public, so that attackers don’t go to town.
Microsoft hasn’t done so on this occasion. Indeed, the company has kept deploying known bad versions of OMI when users create new Linux VMs.
The company’s latest advice, dated September 16th, is: “Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below.”
Bad formatting means the table is wider than the section of Microsoft’s web page, so rather a lot of lateral and vertical scrolling is required to learn that automatic updates have been enabled for six of the Azure services impacted by the bugs. But another seven services require manual updates.
Understandably, Microsoft’s actions – or lack thereof – have not gone down well.
They’ve also failed to update their own systems in Azure to install the patched version on new VM deployments. It’s honestly jaw dropping.
— Kevin Beaumont (@GossiTheDog) September 16, 2021
Researchers quickly found other unpatched instances of OMI.
Security vendor Censys, for example, wrote that it found “56 known exposed services worldwide that are likely vulnerable to this issue, including a major health organization and two major entertainment companies”.
Happily, the company also found “mass external exposure as seen with other hosts in the past (Microsoft Exchange comes to mind) does not appear to be present in this case”.
But the method needed to exploit the flaw is so simple that attacks will surely not be long in coming.
Sophos’s description of the flaw explains the peril:
Your next step is therefore obvious: patch ASAP. Because, as Censys puts it, “these issues would easily allow compromise with the highest-level privileges possible into any host which is running OMI”. ®