Sonatype Unveils Full-Spectrum Software Supply Chain Management | Press Release

OMIGOD! Microsoft Secretly Installed an Open Source Agent with Critical Vulnerabilities on Thousands of Linux VMs

September 17, 2021 By Ax Sharma

In a rather appalling discovery, Microsoft has now released patches for critical vulnerabilities in its Open Management Infrastructure (OMI) software agent which had been silently installed on Azure Linux VMs.

Available on GitHub, OMI is an open source IT environment management software product for Linux and Unix-based systems and is widely deployed on Microsoft Azure VMs and services. It is similar to Windows’ WMI, but for Unix systems.

This month, researchers at security firm Wiz found multiple vulnerabilities and named them “OMIGOD.”

Although heavily used by Azure services, OMI may be unheard of as it isn’t documented in Azure knowledgebase—and yet it’s automatically deployed on Azure VMs during the onboarding process. As such customers may have no awareness of this “secret” agent running in the background, explain Wiz researchers.

These vulnerabilities are:

  • CVE-2021-38647 – Unauthenticated RCE as root
  • CVE-2021-38648 – Privilege Escalation vulnerability
  • CVE-2021-38645 – Privilege Escalation vulnerability
  • CVE-2021-38649 – Privilege Escalation vulnerability

“The vulnerabilities are very easy to exploit, allowing attackers to remotely execute arbitrary code within the network with a single request and escalate to root privileges,” said Nir Ohfeld, a senior security researcher at Wiz in a report published this week.

And, what’s worse is that an OMI agent runs with root privileges.

Any application or user can initiate a connection with the OMI agent via UNIX sockets or an HTTP API, depending on how the product is configured, therefore expanding the possible attack surface for bad actors.

By exploiting the aforementioned vulnerabilities, remote attackers and low privileged users can execute code on target machines, or gain elevated privileges.

The researchers determined that over 65% of sampled Azure customers were exposed to these vulnerabilities and unknowingly at-risk.

Patch your Azure services ASAP

Microsoft installing this software agent with critical vulnerabilities on thousands of Azure VMs leaves room for major supply-chain incidents, and as such Azure Linux users running one or more of the following products should patch their systems promptly.

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics

Microsoft has released a patched OMI version 1.6.8-1 and advised customers to manually upgrade their OMI instances, steps for which are provided in this report.

Users with their OMI instances listening on ports 5985, 5986, 1270 should restrict network access to these ports to defend against the remote code execution vulnerability (CVE-2021-38647).

As I stated in my earlier blog post, active exploitation of assets begins almost immediately after vulnerability disclosures are made public—we saw this in Atlassian’s case. And, attackers eye public exploits and constantly mass scan networks for applications vulnerable to even years-old, but popular flaws, such as the Fortinet path traversal vulnerability (CVE-2018-13379).

Next-generation software supply chain attacks have increased by 650% in the past year, according to Sonatype’s 2021 State of the Software Supply Chain Report. Malicious actors are constantly moving upstream to infiltrate open source software and cause widespread damage.

As such, with supply-chain vulnerabilities like these, while the traditional advice to regularly update your applications to properly vetted fixed versions remains applicable, security professionals are constantly racing against cybercriminals and time to be proactive.

And the same goes for developers building world-class software applications.

Manually monitoring CVE feeds and hard-to-find vulnerability disclosures, and then applying mitigations are no longer feasible, when your time should be going towards doing what you love: building kick-ass software.

Put simply, it’s just easier for an automated tool, such as Sonatype Lift, to block vulnerable libraries, or even a simple vulnerable line of code, from entering your software releases.

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from vulnerabilities and malware.

Tags: vulnerabilities

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.