Microsoft urged administrators to fix OMIGOD vulnerabilities on their own

Microsoft and OMIGOD vulnerabilities
Written by Emma Davis

Earlier this week, we wrote that Microsoft patced four critical vulnerabilities collectively known as OMIGOD. Issues were found in Open Management Infrastructure (OMI), which silently and automatically installs on Azure Linux VMs (more than half of all Azure instances).

OMI is installed and enabled when any of the following tools and services are activated: Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics.

OMIGOD contains the following vulnerabilities:

  • CVE-2021-38647 — RCE without root authentication (9.8 points on the CVSS scale);
  • CVE-2021-38648 — Privilege escalation vulnerability (7.8 on the CVSS scale);
  • CVE-2021-38645 — Privilege escalation vulnerability (7.8 on the CVSS scale);
  • CVE-2021-38649 — Privilege escalation vulnerability (CVSS 7).
This is a textbook RCE vulnerability that could have been found in the 90s. It is extremely unusual that in 2021 such a vulnerability appeared, which could [jeopardize] millions of endpoints. With just one package, an attacker can become a root user on a remote machine by simply removing the authentication header. It’s really that simple.wrote the experts at Wiz, who discovered the problems.

OMIGOD issues were fixed in OMI, but there is no automatic update mechanism in the application, so most Azure Linux VMs will remain vulnerable until the update is manually installed.

Microsoft is now urging customers to manually update vulnerable software to defend against OMIGOD attacks. The company also promises that new virtual machines will be protected from these vulnerabilities after the publication of updated extensions.

The problem is that the first attacks using OMIGOD have already been detected by information security experts. In particular, according to the companies Bad Packets and GreyNoise, attackers are already scanning the Internet in search of unprotected Azure Linux virtual machines, and attacks are coming from more than 110 servers. Security researcher Herman Fernades writes that a botnet based on Mirai is behind some of these attacks.

The company Cado Security also studied the malware of this botnet and reports that the malware “closes the vulnerable ports that it used to prevent other botnets from taking over the system.”

According to information security expert Kevin Beaumont, other cybercriminals exploiting OMIGOD bugs deploy cryptocurrency miners on infected systems.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply