Abbreviated as OMI, the software agents for UNIX/Linux systems are similar to the Windows Management Infrastructure (WMI), leading Wiz to call the set of four vulnerabilities OMIGOD.
Unbeknownst to Azure customers, Microsoft automatically deploys the open source Open Management Infrastructure agents for Linux instances, security firm Wiz said.
OMI is poorly documented, developed by a small team of 20 contributors and runs at the highest, root superuser privileges.
The researchers estimate that thousands of Azure customers and millions of endpoints could be vulnerable to the bugs.
Wiz found a vulnerability with a severity score of 9.8 out of 10 that allows remote code execution that could be abused by ransomware raiders, for example.
“This is a textbook RCE vulnerability that you would expect to see in the 90s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” Wiz wrote.
With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.”
Three other vulnerabilities can be abused for privilege escalation.
Users are vulnerable if they install any of the following services: Azure Automation
Azure Automatic Update
Azure Operations Management Suite (OMS)
Azure Log Analytics
Azure Configuration Management
Other Azure services that install OMI could be vulnerable as well. Wiz warned that the OMI agents are used in Amazon Web Services and Google Cloud Platform as well, along with on-premises installations such as Microsoft’s System Center for Linux.
Microsoft has released patches for the OMIGOD vulnerabilities with the latest version 220.127.116.11 of OMI.