Security Researchers Find Another Major Vulnerability in Microsoft Azure
Security researchers at cloud security service Wiz have discovered a vulnerability in Azure that affects Linux virtual machines. The vulnerability is in the open source service OMI, which is installed when enabling logging, reporting or management options in Azure UI.
Wiz researchers call the vulnerability “Omigod.” The vulnerability in OMI allows remote root code execution to be performed. This is especially a problem if a network administrator turns off the firewall outside the virtual machine. That firewall is on by default and restricts OMI’s access to the internal network.
OMI, or Open Management Interface, is a program that is installed when an Azure service such as distributed logging and management options is enabled. OMI works like Windows Management Instrumentation, but for Azure. It enables the collection of logs and metrics and in part enables remote management. OMI runs by default when Azure customers set up a Linux virtual machine in their cloud environment and enable certain services. According to the Wiz researchers, this is happening without their knowledge and attackers can use one of four vulnerabilities to extend root privileges unless a patch against the zerodays is installed.
Microsoft has now made a patch against the vulnerabilities available to customers. The vulnerabilities are registered under CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649. The first vulnerability is especially serious and has been rated 9.8 out of 10. The vulnerability affects Azure customers on Linux machines if they use one of the following tools: Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, or Azure Diagnostics. According to Wiz, this is probably not the complete list of tools that quietly turn on OMI, and the company calls for it to be reported if OMI is turned on on more programs.
In conversation with Ars Technica, the researchers say that it was not easy to report the vulnerability to Microsoft and to do responsible disclosure. According to Microsoft, the vulnerability fell outside the scope of the responsible disclosure of Azure, because it concerns an external open source program. OMI is indeed open source, but it was donated by Microsoft to The Open Group in 2012. Since then, Microsoft employees have provided the vast majority of commits. In addition, Microsoft automatically runs the tool within Azure without an administrator being aware of it. In the end, Microsoft paid out a total of $70,000 in bug bounties for the vulnerability.
It is the second time in a relatively short time that a vulnerability has been closed in Azure. At the end of August, it concerned a vulnerability that gave attackers unrestricted access to Azure customer accounts and databases via the Cosmos DB database service. That vulnerability was also discovered by security researchers at Wiz.