Earlier this week, we wrote that Microsoft patced four critical vulnerabilities collectively known as OMIGOD. Issues were found in Open Management Infrastructure (OMI), which silently and automatically installs on Azure Linux VMs (more than half of all Azure instances).OMI is installed and enabled when any of the following tools and services are activated: Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics.
OMIGOD contains the following vulnerabilities:
- CVE-2021-38647 — RCE without root authentication (9.8 points on the CVSS scale);
- CVE-2021-38648 — Privilege escalation vulnerability (7.8 on the CVSS scale);
- CVE-2021-38645 — Privilege escalation vulnerability (7.8 on the CVSS scale);
- CVE-2021-38649 — Privilege escalation vulnerability (CVSS 7).
OMIGOD issues were fixed in OMI 126.96.36.199, but there is no automatic update mechanism in the application, so most Azure Linux VMs will remain vulnerable until the update is manually installed.
Microsoft is now urging customers to manually update vulnerable software to defend against OMIGOD attacks. The company also promises that new virtual machines will be protected from these vulnerabilities after the publication of updated extensions.
The problem is that the first attacks using OMIGOD have already been detected by information security experts. In particular, according to the companies Bad Packets and GreyNoise, attackers are already scanning the Internet in search of unprotected Azure Linux virtual machines, and attacks are coming from more than 110 servers. Security researcher Herman Fernades writes that a botnet based on Mirai is behind some of these attacks.
The company Cado Security also studied the malware of this botnet and reports that the malware “closes the vulnerable ports that it used to prevent other botnets from taking over the system.”
According to information security expert Kevin Beaumont, other cybercriminals exploiting OMIGOD bugs deploy cryptocurrency miners on infected systems.
User Review( votes)