Four new Microsoft Azure vulnerabilities reported

By on
Four new Microsoft Azure vulnerabilities reported

Just weeks after cybersecurity firm Wiz disclosed a major Azure Cosmos DB vulnerability, a research team at the company has reported four additional vulnerabilities related to the Microsoft Azure cloud platform.

The four vulnerabilities are associated with an open-source software agent embedded in Microsoft Azure tools including Automation, Operations Management Suite, Diagnostics and Log Analytics, according to Wiz, which reported the vulnerabilities on Tuesday and says the affected services have not yet been fixed.

The agent, Open Management Infrastructure (OMI), is automatically deployed without users’ knowledge when they set up a Linux virtual machine in the cloud and enable certain Azure services, according to a post from Wiz on Tuesday. Attackers can use the four vulnerabilities to access root privileges and remotely encrypt files for ransom or execute other malicious code, Wiz reported. The company has nicknamed the vulnerabilities “OMIGOD.”

“We conservatively estimate that thousands of Azure customers and millions of endpoints are affected,” according to the Wiz post. “In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk.”

Microsoft did not immediately provide answers to questions from CRN US on Wednesday (US time).

The tech giant released a patched OMI version, but as of Wednesday (US time), the affected Azure services “haven’t been fixed,” according to Wiz. The other affected tools include Automatic Update and Configuration Management.

“Vulnerable OMI versions are still deployed to new Linux VMs when enabling these services,” according to Wiz.

A Microsoft software developer posted to GitHub on Wednesday that “the team is aware of the vulnerability in the OMI dependency, we are currently generating a release using the fixed OMI version and will publish the release once verified.”

This year, vulnerabilities have been discovered in various Microsoft tools, from Azure Cosmos DB to Exchange and Windows Print Spooler to Trident.

Microsoft customers, not just those using Azure, are also affected because OMI is independently installed on any Linux machine and often used on-premises, according to the Wiz post.

OMI is an open-source project sponsored by Microsoft with The Open Group. It works as Windows Management Infrastructure for UNIX and Linux systems, allowing users to gather statistics and sync configurations across environments.

“Because Azure provides virtually no public documentation about OMI, most customers have never heard of it and are unaware that this attack surface exists in their environment,” according to the post.

The vulnerabilities allow external users and ones with low privileges to remotely execute code on target machines or escalate privileges. In the most severe vulnerability, an attacker can do remote code execution due to HTTPS port exposure in the Azure Configuration Management tool.

Nir Ohfeld, a Wiz senior security researcher, told CRN in an interview that although open source code can be more secure than proprietary software due to the number of programmers looking at the code, bad open source code can end up in a wide range of products and services.

He said the vulnerabilities are a lesson in vendors needing to be more transparent with users on what is installed with their tools and a lesson for users on the difficulty of viewing an entire cloud environment and finding every embedded tool. Users should really weigh the costs and benefits of cloud tool adoption when such tools could result in more exposures.

“You can configure your machine so good, enable all of Azure’s security measures, but those security measures are exactly the ones that installed the vulnerable agent,” he said.

This article originally appeared at crn.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2018 The Channel Company, LLC. All rights reserved.
Tags:

Most Read Articles

Log In

Email:
Password:
  |  Forgot your password?