Security firm Wiz has discovered a critical RCE vulnerability in Microsoft Azure’s Linux virtual machines that could be exploited by hackers to easily gain root privileges.
These vulnerabilities are known as “OMIGOD” and include CVE-2021-38647, CVE-2021-38648, CVE-2021-38645 and CVE-2021-38649. The root cause of the problem is a software agent known as Open Management Infrastructure (OMI), which allows users to collect statistics and synchronize configurations across the environment and is embedded in many popular Azure services, including but not limited to.
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
When users enable certain Azure services in their cloud, the OMI agent is automatically deployed without their knowledge. Unless patched, an attacker can easily exploit the four vulnerabilities above to escalate to root privileges and remotely execute malicious code by simply sending a packet with the authentication header removed.
Virtually any Linux machine with OMI installed will be affected, as OMI can be installed independently and used locally on any Linux machine. For example, OMI is built into System Center for Linux, Microsoft’s server management solution. However, Microsoft has now released a fixed version of OMI (126.96.36.199) and recommends that customers update OMI manually.