OMIGOD: critical vulnerabilities in Azure cloud services

September 20, 2021 · frtg · 2 min read

In recent weeks, Microsoft identified four critical vulnerabilities affecting the infrastructure management tool OMI, deployed on machines provisioned through Azure. These vulnerabilities permit remote code execution with administrative privileges.

OMI software and discovered vulnerabilities

OMI (Open Management Infrastructure) is an open-source project sponsored by Microsoft in collaboration with The Open Group. The tool, developed to run on Unix systems, implements the CIM (Common Information Model) standard for managing system components and associated information. OMI enables collection of statistical data and synchronization of configurations across multiple environments. For this reason, the tool is utilized by several Azure services, including Open Management Suite (OMS), Azure Insights, and Azure Automation.

The OMI agent is deployed automatically and without user awareness during the creation of Linux virtual machines to which remote management and monitoring services are added. The services involving deployment of the tool by Azure are:

Azure Automation
Azure Automatic Update
Azure Operations Management Suite (OMS)
Azure Log Analytics
Azure Configuration Management
Azure Diagnostics
Azure Container Insights

OMI can also be installed independently and is frequently present on on-premise systems.

The four discovered vulnerabilities were grouped by the research team at Wiz under the identifier OMIGOD and are as follows:

CVE-2021-38647 – Unauthenticated RCE with root privileges
CVE-2021-38648 – Privilege Escalation
CVE-2021-38645 – Privilege Escalation
CVE-2021-38649 – Privilege Escalation

Remediation measures

Microsoft has released an updated version of OMI (version 1.6.8.1) that includes patches for the aforementioned vulnerabilities. To reduce attack surface, we recommend restricting access to ports 5985, 5986, and 1270 if exposed on the network by OMI. Organizations managing heterogeneous infrastructure should prioritize inventory and patching of OMI instances through a Cybersecurity Advisory process to ensure comprehensive coverage across Azure and on-premise deployments.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

OMI software and discovered vulnerabilities

Remediation measures

Cookie & Privacy