The Wiz Research Team recently found four critical vulnerabilities in OMI, one of Azure’s most ubiquitous yet least known software agents, and is deployed on a large portion of Linux VMs in Azure. The vulnerabilities are very easy to exploit, according to Wiz researchers, allowing attackers to remotely execute arbitrary code within the network with a single request and escalate to root privileges.

The vulnerabilities are tracked as:

• CVE-2021-38647 – Unauthenticated RCE as root
• CVE-2021-38648 – Privilege Escalation vulnerability
• CVE-2021-38645 – Privilege Escalation vulnerability
• CVE-2021-38649 – Privilege Escalation vulnerability

Wiz found that many different services in Azure are affected, including any customer using one or more of the following services:

• Azure Automation
• Azure Automatic Update
• Azure Operations Management Suite
• Azure Log Analytics
• Azure Configuration Management
• Azure Diagnostics

Tyler Shields, CMO at JupiterOne, says, “To understand their exposure to this vulnerability, enterprises need to know which assets have the OMI management function enabled and ensure that nothing is directly exposed to the Internet. You may assume that two or three layers of firewalls protect these assets, but unfortunately, transitive trust relationships among assets can accidentally create a path that an attacker can exploit. A cloud-native attack surface measurement tool that connects assets in a relationship graph will tell you pretty quickly if any of those instances are actually exposed.”

In a survey, Wiz found that over 65% of sampled Azure customers were exposed to these vulnerabilities and unknowingly at-risk. Although widely used, OMI’s functions within Azure VMs are almost completely undocumented, and there are no clear guidelines for customers regarding how to check and upgrade existing OMI versions. 

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, explains that the cloud service risk/reward tradeoff is very evident in this scenario.

Bar-Dayan says, “IT security teams trust cloud providers like Azure to provide a secure service, and in the event of a bug or vulnerability, to take immediate steps to mitigate the risk. In almost all cases, cloud providers remediate the vulnerabilities found in their services before they are exploited at scale. It typically takes a series of vulnerabilities to be left unaddressed by vendors and users for an advanced persistent threat to be successful. The fact that 99% of all cybersecurity breaches exploit a known, unmitigated vulnerability does not apply to cloud services simply because providers like AWS and Azure are aggressively proactive about the cyber hygiene of their products. The real risk in cloud security stems from the fact that 95% of all cloud security breaches are due to user error and cloud service user misconfigurations. Enterprise users of cloud services must make the security of the services they consume a top priority and be as proactive as the cloud service providers in their never-ending mitigation efforts.”