Researchers said on Thursday that security teams should take advantage of the patches Microsoft provided on Patch Tuesday for the four so-called “OMIGOD” vulnerabilities in Azure.
The OMIGOD news first broke in a blog by Wiz researchers on Tuesday, in which the team explained that the source of the latest supply chain issue was a little-known software agent called open management infrastructure (OMI) — the genesis of the word OMIGOD — that’s embedded in many popular Azure services.
According to the Wiz researchers, when customers set up a Linux virtual machine in a cloud, the OMI agent automatically gets deployed without their knowledge when they enable certain Azure services. Unless they apply a patch, attackers can easily exploit these four vulnerabilities to escalate to root privileges and remotely execute malicious code, for example: encrypting files for ransom.
Wiz conservatively estimates that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants the researchers analyzed, more than 65% were unknowingly at risk.
Microsoft issued the following CVEs for OMIGOD and made patches available to customers on Patch Tuesday: CVE-2021-38647, unauthenticated remote code execution as root; and three privilege escalation vulnerabilities: CVE-2021-38648, CVE-2021-38645, CVE-2021-38649.
Too often the software supply chain gets overlooked, the latest example being the automatic and unannounced installation of the OMI agent whenever users install a Linux VM on Microsoft Azure, said Saryu Nayyar, CEO at Gurucul.
“Users of third-party software, including open-source software, have to have traceability across the supply chain, or there exists the potential for unknown vulnerabilities in resulting applications,” Nayyar said. “Simply finding and using software from the internet, or from external libraries, is no longer an option. This tool must be fully patched after installation to protect the VM from potential attack.”
John Bambenek, principal threat hunter at Netenrich, said most people think when they set up infrastructure in the cloud, that it’s secure by default. However, security teams still need to secure the operating systems themselves and many pre-built VMs aren’t kept up-to-date on patches.
“This particular bug is embarrassing due to its simplicity to execute,” Bambenek said. “It’s another stark reminder that IaaS consumers still need to be on top of routine software updates or risk their cloud assets being hijacked.”
Tyler Shields, CMO at JupiterOne, said it’s very noteworthy for security researchers to find an underlying vulnerability in a management function of a cloud service provider such as Microsoft Azure. To understand their exposure to this vulnerability, Shields said organizations need to know which assets have the OMI management function enabled and ensure that nothing is directly exposed to the internet.
“You may assume that two or three layers of firewalls protect these assets, but unfortunately, transitive trust relationships among assets can accidentally create a path that an attacker can exploit,” Shields said. “A cloud-native attack surface measurement tool that connects assets together in a relationship graph will tell you pretty quickly if any of those instances are actually exposed.”
Moses Frost, senior security consultant at GRIMM, said it appears that many researchers have started to look very closely at Microsoft Azure over the last year or so. Frost saw this vulnerability as just the latest one, and while researchers are focused on Microsoft today, Frost thinks it will only be a matter of time before we will see attention turn to others.
“The only seemingly available mitigation strategy is patch if you can, and where you can't, block with a firewall ruleset,” Frost said. “Administrators can attempt to look for the existence of the ports in question and try to block them. I would use a network security group or other controls in Azure to make these exploits more challenging to reach.”