Four New Microsoft Azure Vulnerabilities Reported By Cyber Firm Wiz
Just weeks after cybersecurity firm Wiz disclosed a major Azure Cosmos DB vulnerability, a research team at the company has reported four additional vulnerabilities related to the Microsoft Azure cloud platform.
The four vulnerabilities are associated with an open-source software agent embedded in Microsoft Azure tools including Automation, Operations Management Suite, Diagnostics and Log Analytics, according to Wiz, which reported the vulnerabilities on Tuesday and says the affected services have not yet been fixed.
[Related: Here Are 10 Of The Latest Microsoft Azure Updates]
The agent, Open Management Infrastructure (OMI), is automatically deployed without users’ knowledge when they set up a Linux virtual machine in the cloud and enable certain Azure services, according to a post from Wiz on Tuesday. Attackers can use the four vulnerabilities to access root privileges and remotely encrypt files for ransom or execute other malicious code, Wiz reported. The company has nicknamed the vulnerabilities “OMIGOD.”
“We conservatively estimate that thousands of Azure customers and millions of endpoints are affected,” according to the Wiz post. “In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk.”
Microsoft did not immediately provide answers to questions from CRN on Wednesday.
The Redmond, Wash.-based tech giant released a patched OMI version, but as of Wednesday, the affected Azure services “haven’t been fixed,” according to Wiz. The other affected tools include Automatic Update and Configuration Management.
“Vulnerable OMI versions are still deployed to new Linux VMs when enabling these services,” according to Wiz.
A Microsoft software developer posted to GitHub on Wednesday that “the team is aware of the vulnerability in the OMI dependency, we are currently generating a release using the fixed OMI version and will publish the release once verified.”
This year, vulnerabilities have been discovered in various Microsoft tools, from Azure Cosmos DB to Exchange and Windows Print Spooler to Trident.
Microsoft customers, not just those using Azure, are also affected because OMI is independently installed on any Linux machine and often used on-premises, according to the Wiz post. OMI is an open-source project sponsored by Microsoft with The Open Group. It works as Windows Management Infrastructure for UNIX and Linux systems, allowing users to gather statistics and sync configurations across environments.
“Because Azure provides virtually no public documentation about OMI, most customers have never heard of it and are unaware that this attack surface exists in their environment,” according to the post.
The vulnerabilities allow external users and ones with low privileges to remotely execute code on target machines or escalate privileges. In the most severe vulnerability, an attacker can do remote code execution due to HTTPS port exposure in the Azure Configuration Management tool.
Tuan Pham, CEO of Tech Networks of Boston, a Microsoft partner based in South Boston, Mass., told CRN in an interview that the incident is a lesson in the tradeoffs with cloud computing. With the benefits of cloud tools there are vulnerabilities when web services are exposed to other networks, no matter the vendor, he said.
Solution providers and cybersecurity researchers need to put pressure on vendors to keep everyone’s information safe from intrusion, Pham said.
“It’s up to vendors on how well they respond to these vulnerabilities,” Pham said. “Vendors have to be open and honest with their users when a potential vulnerability is found and not try to brush it under the rug with a commit in a GitHub repository as Microsoft did.”
Nir Ohfeld, a Wiz senior security researcher, told CRN in an interview that although open source code can be more secure than proprietary software due to the number of programmers looking at the code, bad open source code can end up in a wide range of products and services.
He said the vulnerabilities are a lesson in vendors needing to be more transparent with users on what is installed with their tools and a lesson for users on the difficulty of viewing an entire cloud environment and finding every embedded tool. Users should really weigh the costs and benefits of cloud tool adoption when such tools could result in more exposures.
“You can configure your machine so good, enable all of Azure’s security measures, but those security measures are exactly the ones that installed the vulnerable agent,” he said.