Story image

Security experts weigh in on Microsoft Azure security holes

By Shannon Williams, Wed 22 Sep 21

Threat actors are continuing to actively exploite security flaws in Microsoft Azure’s Open Management Infrastructure framework that the tech giant disclosed as part of this months’ cumulative security updates.

OMI, the software agent at the centre of a remote code execution flaw, is silently exposing Microsoft Azure customers to unauthorised code execution. Vulnerable OMI versions were still being deployed to LINUX VMs, resulting in RCE and LPE vulnerabilities. And because Microsoft has no auto update mechanism, the agents need to be manually upgraded.

Andrew Morris, founder and chief executive officer of GreyNoise Intelligence, says the OMI vulnerabilities currently putting Azure customers at risk are just the latest in a staggering number of crippling threats in internet software.

"It’s getting to the point where it’s getting tough for security analysts to discern real threats from background noise, but this is definitely a real threat, and it should be prioritised accordingly," he says.

On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework:  CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.  

Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs. 

The remote code execution vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management. Microsoft says it is providing additional guidance and rolling out additional protections within Azure impacted VM management extensions to resolve these issues.  

All OMI versions below v1.6.8-1 are vulnerable. 

According to BleepingComputer, the OMI software agent is present on more than half of all Azure instances, and thousands of Azure customers and millions of endpoints could be impacted.

Microsoft says customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available. 

Microsoft initially announced an update to one of its Linux products on Patch Tuesday, fixing a bug known formally as CVE-2021-38647, but informally dubbed "OMIGOD". 

The nickname is a pun coined by Wiz, the company that discovered the flaw along with three others, and plays on the fact that the affected product is called Microsoft OMI, short for Open Management Interface.

 "It's a bit like being able to sneak through passport control by carefully showing up with no ID whatsoever," says Paul Ducklin, Principal Research Scientist at Sophos.

"Imagine that instead of the border guards checking that you did have genuine ID, they merely checked that you didn't have any fake ID on you. Arrive empty handed, and you'll always pass that sort of test."

Recent stories
More stories