A range of recently revealed vulnerabilities in Microsoft Corp.’s Azure remain vulnerable to exploitation as customers may be required to apply the patch manually.

Dramatically dubbed OMIGOD by researchers at Wiz Inc. in a notice Tuesday, the vulnerabilities relate to the Open Manage Infrastructure agent that’s deployed when Azure users set up a Linux virtual machine in the cloud and enable certain Azure services. Attackers can use the four vulnerabilities to obtain root privileges and execute malicious code, including ransomware with file encryption.

According to Sophos, one of the vulnerabilities is a bug that boils down to “a laughably easy trick” because it requires no password. Rather than guessing a valid authentication token to insert into a fraudulent OMI web request, simply omitting all mention of the authentication token delivers access.

The vulnerabilities affect users of Azure services, including Automation, Automatic Update, Operations Management Suite, Log Analytics, Configuration Management, Diagnostics and Container Insights.

In a typical case of vulnerabilities being revealed, particularly with cloud-based services, patches would be applied, but this is not a typical case. Microsoft offered a patch in August, but Azure services remain exposed.

The problem is that users may have to apply the patches themselves, even though the issue resides in Azure Linux installs. Complicating the matter further, many users may not be aware that they have OMI installed, since it’s installed when users add one of those Azure services.

The Wiz researchers conservatively estimate that thousands of Azure customers and millions of endpoints are affected. Further, they noted, it might not just be those using Azure who are affected, since OMI is also independently installed on other Linux machines and is often used on-premises.

“Management agents like OMI are part of the overall attack surface for a deployed system and as such need to be accounted for within the threat models associated with the application,” Tim Mackey, principal security strategist at electronic designed automation firm Synopsys Inc.’s Cybersecurity Research Center, told SiliconANGLE.

“Put another way, when constructing a threat model for an application, it’s not sufficient to look solely at how an application behaves in isolation, but rather the impact of deployment decisions need to be accounted for,” Mackey added. “That’s because attackers defined the rules of their attack, and a decision to restrict security reviews based upon an arbitrary ‘in-bound’ designation won’t be something they consider when executing an attack.”

Tyler Shields, chief marketing officer at cyber asset management company JupiterOne Inc., noted that finding an underlying vulnerability in a management function of a cloud service provider is significant.

“To understand their exposure to this vulnerability, enterprises need to know which assets have the OMI management function enabled and ensure that nothing is directly exposed to the internet,” Shields explained. “You may assume that two or three layers of firewalls protect these assets, but unfortunately, transitive trust relationships among assets can accidentally create a path that an attacker can exploit.”

Oliver Tavakoli, chief technology officer at artificial intelligence cybersecurity firm Vectra AI Inc., said that the discovery “certainly proves that simply outsourcing software acquisition (and patch management) to a cloud service provider does not ensure that it is flawlessly executed.”

Image: Wiz