OMIGOD: Azure users warned of critical OMI vulnerabilities

Microsoft this week patched four vulnerabilities in Open Management Infrastructure (OMI), a widely used but little-known software agent embedded in many commonly used Azure services.

The Wiz Research Team discovered these flaws, which include remote code execution bug CVE-2021-38647 and privilege escalation vulnerabilities CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649. Most large organizations using Azure are affected by the flaws, which the team has collectively dubbed OMIGOD.

Open source OMI is the UNIX/Linux equivalent of Windows Management Instrumentation (WMI) and is deployed on many Linux virtual machines in Azure, enabling users to manage configurations across remote and local environments and collect statistics. It’s extensively used in many Azure services, though organizations using OMI often don’t know it’s there – and may not know they need to patch it now.

“Users usually have no clue about OMI,” says Wiz research lead Shir Tamari. “When we started this research, we asked people if they were familiar with OMI … no one knows what it is.”

When an organization sets up a Linux virtual machine (VM) in its cloud and enables any of these services, OMI is silently installed on its VM and runs at the highest privilege. There is no clear documentation in Azure on how OMI is deployed, monitored, and updated, researchers note.

These vulnerabilities affect several different services within Azure that silently use OMI, such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics. The team notes this is only a partial list and encourages readers to contact them if they know of more services using OMI.

To read the complete article, visit Dark Reading.