Multiple Flaws in Microsoft Azure Put Half of All Deployments at Risk

  • A set of four flaws in the OMI agent, an omnipresent Azure component, render half of all deployments vulnerable.
  • Microsoft has released fixes for this last week, urging users to update to the latest OMI version ASAP.
  • Exploiting the RCE flaw and elevating to root without authentication is embarrassingly simple.

Researchers at Wiz have discovered four flaws in the OMI (Open Management Infrastructure) agent that is part of the Microsoft Azure product and which are pretty easy to exploit for escalation of privileges to root and the execution of malicious code. Microsoft has released fixes for these flaws and also published the CVEs today.

Azure admins are advised to follow the instructions on how to add the OMI repositories on the Linux distribution they’re using and update the agent to a non-vulnerable version (v 1.6.8.1 or newer).

The four flaws are:

  • CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8)
  • CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)
  • CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)
  • CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)

Because OMI is a component that’s deployed in the background, many admins don’t even realize that they are using it, but chances are that they are. The Azure services and tools that rely upon OMI and thus are vulnerable to the quartet of flaws are the following:

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics

Possibly, there are more services that deploy OMI silently, but the above put users in a certain vulnerable position. Microsoft estimates that roughly half of all Azure instances are vulnerable to exploitation, so patching as soon as possible is imperative.

In short, because the OMI agent runs as root on the target system, accessing its ports remotely is an excellent RCE channel. As the researchers explain, the attackers can simply send a single packet to the agent that removes the authentication header, and they can become root on a remote machine. That’s ‘CVE-2021-38647’, relying on the external exposure of OMI management ports which is the default configuration.

Source: Wiz

The other three flaws, which are all privilege escalation flaws of lower but still high severity, enable the attacker to elevate privileges to root without going through an authentication step. The third one is a tad bit less risky because it’s local, while the first two are remote.

Wiz reported the four flaws to Microsoft on June 1, 2021, and it took the software giant three weeks to confirm them all. The fixing patch was released on September 8, 2021, while the CVEs were published today with the Patch Tuesday pack. We consider this a timely response to an embarrassing discovery and another good reminder of why trusting cloud services to be “Secure by Default” is simply wrong.

REVIEW OVERVIEW

Latest

How to Use Ultra Wide Camera on Your iPhone 13, Mini, Pro, and Pro Max

This year’s iPhone generation has received a nice upgrade to its camera specs. That especially applies to ultra-wide cameras, now capable of capturing...

How to Factory Reset Your iPhone 13, Mini, Pro, and Pro Max

Did you know that when you delete data (like images or videos, for example), it still lingers in your iPhone’s storage and...

How to Turn ON/OFF the Flashlight on Your iPhone 13, Mini, Pro, and Pro Max

It’s true that the iPhone 13 comes with powerful specs. However, some of its most useful features require the least amount of power....
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari