Microsoft is advising users running Linux virtual machines within Azure to update four critical vulnerabilities in an open-source software agent called Open Management Infrastructure (OMI). If exploited the vulnerabilities could lead to remote code execution.

Created by Microsoft and then donated to the Open Group in 2012, OMI lets users manage configurations across remote and local environments. While it’s technically not under Microsoft ownership, the Redmond-headquartered company uses OMI behind the scenes as a “building block” in its virtual machines.

As a result, many services including Azure Log Analytics, Azure Diagnostics, Azure Automation and Azure Security Center, are affected.

The OMI vulnerability was discovered by researchers at cloud security vendor Wiz, the same team that recently discovered a separate vulnerability in flagship Azure database product Cosmos DB.

They described the vulnerabilities as “very easy to exploit” and dubbed them “OMIGOD”.

While OMI is not a well-known product, it is ubiquitous because it is installed when users install log collection. Wiz looked at a sample of Azure customers running Linux and found over 65% were exposed to the OMI vulnerability.

“This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” wrote Wiz security researcher Nir Ohfeld in a blog post. “Thanks to the combination of a simple conditional statement coding mistake and an uninitialised auth struct, any request without an authorisation header has its privileges default to uid=0, gid=0, which is root.”

Fixes for the OMI vulnerability were rolled out this week in the Redmond-headquartered company’s monthly round of patches, known as Patch Tuesday.

While Microsoft patched the vulnerability, it is up to system administrators and IT teams to manually install it if they are running a version of OMI prior to 1.6.8.1.

“This OMI service is a standard service that gets deployed as Microsoft’s Azure/Linux infrastructure building blocks,” Tom Van de Wiele, a security researcher at F-Secure, explained to Verdict. “That means [Microsoft] has patched it once it was reported to it, but of course deployments that were already in production before the change might still be running the vulnerable version and will require a manual update or reinstall with the newer patched versions.”

In other words: “This is not something you can have Microsoft automatically fix for you, you need to manually get to a newer and patched version.”

This could prove problematic for organisations as many are unaware that OMI is installed. Patches were posted to GitHub in August and are available here.

The most serious of the four vulnerabilities is CVE-2021-38647, said Van de Viele, as the other three are local privilege escalation and therefore require a prior “certain degree of access to the Azure account”.

The headlining problem has a critical vulnerability rating of 9.8 out of 10 and can be exploited to gain root access with just a single packet sent to a target with the authentication header removed.

Systems are vulnerable if ports 5986, 5985, or 1270 are exposed to the internet. Attackers can use tools to find a vulnerable virtual machine by scanning for these vulnerable internet-connected ports. The good news is that these ports are not exposed to the internet by default.

Ohfeld described an exposed HTTPS port as a “holy grail for malicious attackers”.

He added that “with one simple exploit they can get access to new targets, execute commands at the highest privileges and possibly spread to new target machines”.

The other three OMI vulnerabilities come with severity ratings of 7.8 and below.

George Papamargaritis, MSS director at Obrela Security Industries, said: “Any exploitation may cause consequences to the availability of the service, confidentiality or integrity. Nevertheless, the likelihood at this stage is low considering that Azure’s on-by-default, outside-the-VM firewall will limit it to most customers’ internal networks only.”

Wiz reported the four OMI vulnerabilities to Microsoft’s security team on 1 June.

Ofheld added: “The ease of exploitation and the simplicity of the vulnerabilities makes you wonder if the OMI project is mature enough to be used so widely within Azure.”