[BlueOnyx:25115] OT: Azure "OMIGOD" exploit

Michael Stauber mstauber at blueonyx.it
Wed Sep 15 20:08:30 -05 2021 

Hi all,

This is in no way related to BlueOnyx, but I know some here use Azure
for hosting BlueOnyx.

Check this out if you haven't:

https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution

Mickey Mouse Software fucked this one up in a spectacular fashion. There
is a root exploit in Azure's remote management OMI. All an attacker
needs to do is to *omit* sending the authentication headers and he got
"root" on the managed host(s).

Please read that again: Omit authentication headers to become "root"!

If that isn't a massive facepalm and the height of incompetence, then I
don't know. And it only got beaten by their handling of the crisis.

The problem was reported to them on 1st June and just *now* patches are
out. WHICH DON'T automatically patch the vulnerability on the hosts that
are exposed via OMI. Which is kinda ridiculous.

So who is vulnerable?

----------------------------------------------------------------------
Azure customers on Linux machines – which account for over half of all
Azure instances according to Microsoft -- are at risk if they use any of
the following services / tools:

    Azure Automation
    Azure Automatic Update
    Azure Operations Management Suite (OMS)
    Azure Log Analytics
    Azure Configuration Management
    Azure Diagnostics

Note that this is only a partial list. Contact us at research at wiz.io if
you are aware of additional Azure services silently deploying OMI.

In addition to Azure cloud customers, other Microsoft customers are
affected since OMI can be independently installed on any Linux machine
and is frequently used on-premise. For example, OMI is built in System
Center for Linux, Microsoft’s server management solution.
----------------------------------------------------------------------

And of course the vulnerability is now actively being exploited.

Like said: This is Microsoft Azure. Not related to BlueOnyx (or
Aventurin{e}) in any way, but some here are using Azure, so I thought
I'd mention it.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list