icetray - Fotolia

Microsoft details 'OMIGOD' Azure vulnerability fixes, threats

Microsoft fixed the open source OMI software during last week's Patch Tuesday, but the tech giant has struggled to get the updated agents to Azure customers.

A series of Azure vulnerabilities disclosed last week may finally be getting fixes after initial patching saw mixed results.

The fixes are related to "OMIGOD," four vulnerabilities impacting Open Management Infrastructure (OMI) disclosed last Tuesday. OMI is an Open Source software agent that is frequently used in Azure extensions.

The core vulnerability, CVE-2021-38647, is a critical remote code execution vulnerability, and the others (CVE-2021-38648, CVE-2021-38645 and CVE-2021-38649) are privilege escalation vulnerabilities. The flaws were originally reported by cloud security vendor Wiz, which named the vulnerability set OMIGOD, on June 1, and the software was patched with this month's Patch Tuesday.

However, reports came in from several security researchers like Kevin Beaumont that new Linux virtual machines were still receiving vulnerable agents and that the impacted extensions hadn't yet been properly fixed. Moreover, automatic updates for existing agents were not immediately available to Azure customers.

This meant customers who used one of many of Azure extensions vulnerable to OMIGOD, including Azure Automatic Update and Azure Operations Management Suite, have to update the OMI software themselves. The situation was also challenging because, as Wiz senior security researcher Nir Ohfeld explained in the vendor's OMIGOD blog post, OMI is a silent, "secret agent" that is deployed without an Azure customer's knowledge or consent.

On Thursday, Microsoft announced automatic updates are available -- at least, for some Azure extensions. The company provided additional guidance on its Microsoft Security Response Center post, regarding which extension updates were available to install manually, which were going to receive automatic updates and which hadn't been updated yet.

As of this writing, only one vulnerable extension identified by Microsoft, Azure Stack Hub, has not received any update yet. Many cloud extensions have automatic updates already and some are planned for this Wednesday, while on-premises Azure deployments only have manual updates available.

We saw the patching instructions, and we immediately knew that they wouldn't work.
Nir OhfeldSenior security researcher, Wiz

OMIGOD threats, confusion

Several security researchers have noted mass scanning and exploitation activity around the OMIGOD vulnerabilities. A Microsoft Threat Intelligence Center post written by Microsoft security program manager Russell McDonald said OMIGOD was being exploited by various threats, including cryptominers and Mirai botnets, and that Microsoft expected an increase in the number of attacks "due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks."

McDonald's post provided customers with detections and indicators of compromise for Azure Sentinel, Microsoft's cloud SIEM.

The exploitation activity puts even more urgency on Microsoft's mitigation efforts for OMIGOD, which Ohfeld said have been a struggle.

"We didn't know how Microsoft was patching -- we had so many open questions," he told SearchSecurity. "And after contacting Microsoft about ChaosDB, we tried to ask questions around OMI. We kept asking, how do you plan to patch it?"

Ohfeld said that after the patches came out, "we saw the patching instructions, and we immediately knew that they wouldn't work."

Wiz then sent an urgent email to Microsoft informing the company that new Linux VMs were still receiving older, vulnerable versions of OMI, even though the open source software had been patched. Ohfeld said Wiz suggested its fix to the issue -- as it researched mitigations at length -- and that Microsoft, up to that point, did not appear to have a full grasp of how to fix the issue.

"I believe that if you talk to most teams at Microsoft, they are not aware even of the word OMI," Ohfeld said. "But it somehow lurks in the shadows of every Linux and Azure surface. That's absurd."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Application and platform security