Microsoft customers who operate Linux VMs in the company’s Azure cloud should act as soon as possible and patch a number of dangerous security holes. Contrary to all expectations, Microsoft will not do this itself. In view of the danger to its customers, the company does surprisingly little to protect them in this case.
Attacks are very easy
This week, as part of its monthly Patch Day, Microsoft had fixed problems with the Open Management Infrastructure (OMI) software, which is installed in Linux VMs in the Azure Cloud, among other things, in order to take over management functions. The problems with OMI can be traced back to four vulnerabilities that the security company Wiz had discovered in the software. They enable a user who is not logged in to execute any malicious code with root rights in the affected VM. All the attacker needs is access to the VM from the public network. The security researchers at Wiz named these loopholes OMIGOD, probably because that’s exactly what you’re talking about once you understand how incredibly easy it is to exploit the loopholes.
The security situation is also exacerbated by the fact that OMI is not software that Linux administrators are familiar with, as it is a Microsoft-specific phenomenon in the Azure environment. Left on their own, the admin of the Linux VM will most likely not even know that OMI is in use, because the service is quietly installed in the VM when a number of Azure services for automatic updates, log analysis or Configuration and diagnostic functions are activated. The service is usually installed with the new VMs if these functions are also configured during setup.
Table of horror
Now the question arises, why Microsoft did not fix the problem automatically as part of its patch day fixes, as it also automatically installed the OMI service without asking the customer. After all, the central advertising argument for cloud services, also at Microsoft, is that the user has to worry about as little as possible. Usually, cloud providers quietly fix such vulnerabilities before they even become public. The customer does not need to worry about anything and his systems are more secure than if he had to take action and install patches himself, as the cloud provider can do this much faster and more effectively for all systems at once.
Microsoft obviously sees it differently. In his current information on the OMIGOD gaps The company recommends that its customers install the relevant updates themselves as soon as they are available. The company provides a clear table – Microsoft loves tables – with the individual OMI components, where they can be found and when a fix can be expected.
However, Microsoft has not formatted the table in such a way that web browsers can display it properly. At first, and also at second glance, the column for the fixes is invisible. Only when you discover the horizontal scroll bar at the very end of the table does it become clear that the actually important information lurks well hidden to the right outside the visible area of the table. Incidentally, even an ultra-widscreen screen is useless here, the layout of Microsoft’s website is the problem. After all, at some point after the first publication of the notes above the table, a note on the scroll bar was added at the end of the table.
All-round carefree cloud is different
The table lists 13 specific issues that stem from the OMIGOD vulnerabilities. Microsoft says it will fix six of them automatically. However, the admin of affected Linux VMs has to take care of seven further gaps themselves. So users have to find out for themselves whether their systems are using the latest version of the OMI software and whether their VMs have not already been attacked and compromised through the holes. To make matters worse, even after the updates were released on Patch Day, Microsoft apparently still installed vulnerable OMI services in Linux VMs if they were set up again. For a company the size of Microsoft, handling such a critical remote code execution loophole is embarrassing. Customers who expect an all-round carefree cloud are left in the lurch with a serious security flaw in software that they did not explicitly want to install.
Fortunately, there doesn’t seem to be any massive attacks like Microsoft’s Exchange vulnerability earlier this year. The security company Censys has during an investigation only a few dozen vulnerable servers found – probably because only a few of the affected VMs are publicly accessible on the Internet. Nevertheless, the affected systems should be patched as soon as possible. Exploiting the OMIGOD vulnerabilities is so easy and the result so resounding (root access) that it will not be long before attackers find the affected systems and target them. Proof-of-concept attack code for the vulnerabilities heise Security already before.