OMIGOD! Azure Vulnerabilities Are Being Exploited
No sooner had the Open Management Infrastructure (OMI) software agent silently installed by Microsoft on more than half of all Azure instances been revealed then threat actors were already on the case, exploiting the flaws.
“Mirai botnet is exploiting #OMIGOD—they drop a version of Mirai DDoS botnet and then close 5896 (OMI SSL port) from the internet to stop other people exploiting the same box,” Kevin Beaumont, aka GossiTheDog tweeted.
Microsoft disclosed the four vulnerabilities during this September’s Patch Tuesday earlier this week.
“Azure users running Linux virtual machines are at risk of compromise unless they upgrade now,” said Cado Security in its analysis of the flaw and its exploitation, noting that “a vulnerable piece of management software in the Open Management Infrastructure (OMI) framework can be remotely exploited by attackers enabling them to escalate to root privileges and remotely execute malicious code.”
Azure, Cado explained, “will automatically install the OMI agent when users set up a Linux VM and monitoring and other services are enabled.” By default, then, “OMI runs with root access—making the system extremely vulnerable and subject to compromise,” the Cado researchers said. “It typically runs on ports 5986, 5985 and 1270; however, any port can be used.”
Exploitng OMIGOD is easy. Attackers only have to skip the authentication of requests, which Cado said “defaults with root access across systems.”
“The race is on,” said Stuart Winter-Tear, director of strategy at ThreatModeler. “As this is now confirmed as being actively scanned and exploited in an automated fashion via botnets, and we know there is the potential for root privilege remote code execution, any open OMI ports must be closed as soon as possible and Azure mitigation guidelines need to be implemented.”
Vectra CTO Oliver Tavakoli agreed that “immediately upon disclosure of a vulnerability, particularly a critical one which allows remote code execution with root privileges, it is always a race against the clock to mitigate/patch vs. getting exploited.”
When a “cloud-centric issue can be exploited from a remote position, the attack is ripe for automated discovery and attacks,” said Tyler Shields, CMO at JupiterOne. “While I am sure there are a lot of directed attacks at certain companies, I’m going to take an educated guess and say that much of this is automated scanning looking for opportunities of chance.”
But Tavokoli said that Azure is a big draw for attackers. This vulnerability, he contended, “is valuable enough to an attacker to go to the top of the list of anyone who is targeting assets organizations hold in Azure.”
Much of the responsibility to reduce risk in the cloud falls on the user, according to Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber. “The fact that 99% of all cybersecurity breaches exploit a known, unmitigated vulnerability does not apply to cloud services simply because providers, such as AWS and Azure, are aggressively proactive about the cyber hygiene of their products,” he said.
“The real risk in cloud security stems from the fact that 95% of all cloud security breaches are due to user error and cloud service user misconfigurations,” said Bar-Dayan. “We plead with enterprise consumers of cloud services to make the security of the services they consume a top priority and be as proactive as the cloud service providers in their never-ending mitigation efforts.”