There are multiple vulnerabilities including unauthenticated RCE and EoP dubbed as OMIGOD in Microsoft's OMI agent. These vulnerabilities affect many Azure customers as this agent is a requirement for several Azure services including Azure Log Analytics, Azure Security Center, Azure Operations Management Suite. The vulnerabilities affect any OMI installation and are not limited to Azure.
OVERVIEW
▪ Microsoft patched three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework installed by Microsoft on more than half of all Azure instances. All OMI versions below v1.6.8-1 are vulnerable.
▪ OMI is Microsoft’s open-source UNIX/Linux equivalent of Windows Management Instrumentation and Remote Management (WMI/WinRM). It allows users to manage configurations across remote and local environments and collect statistics. Due to the ease of use and abstraction that OMI provides, it is used widely in Azure.
▪ OMI is pre-installed into Azure Linux VM instances as it enables certain logging, reporting, and host management options from the cloud provider’s user interface and APIs. The OMI agent runs as root with high privileges. Any user can communicate with it using a UNIX socket or sometimes using an HTTP API when configured to allow external usage. These would allow external users or low-privileged users to remotely execute code on target machines or escalate privileges.
▪ Attackers have started actively exploiting the critical Azure OMIGOD vulnerabilities by malicious DDoS botnets Mirai and cryptominers.