The flaws stem from with an open-source software agent embedded in Microsoft Azure tools.
According to a report in CRN, a research team at Wiz has reported four new vulnerabilities related to the Microsoft Azure cloud platform.
The four vulnerabilities arise from an open-source software agent embedded in Microsoft Azure tools, according to Wiz. These include Automation, Operations Management Suite, Diagnostics and Log Analytics. Wiz says Microsoft has not yet fixed the affected services.
The agent, Open Management Infrastructure (OMI), deploys automatically without users’ knowledge when they set up a Linux virtual machine in the cloud and enable certain Azure services, according to a post from Wiz on Tuesday. Attackers can use the four vulnerabilities to access root privileges and remotely encrypt files for ransom or execute other malicious code, Wiz reported. The company has nicknamed the vulnerabilities “OMIGOD.”
“We conservatively estimate that thousands of Azure customers and millions of endpoints are affected,” according to the Wiz post. “In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk.”
Microsoft is slow to react
The Redmond based tech giant did release a patched OMI version. But as of September 15, they had not yet fixed the affected services, according to Wiz. The other affected tools include Automatic Update and Configuration Management.
“Vulnerable OMI versions are still deployed to new Linux VMs when enabling these services,” Wiz says. A Microsoft software developer posted to GitHub on Wednesday. He said that “the team is aware of the vulnerability in the OMI dependency.” He added that “we are currently generating a release using the fixed OMI version and will publish the release once verified.”
Nir Ohfeld, a Wiz senior security researcher, told CRN in an interview that although open source code can be more secure than proprietary software. This is due to the number of programmers looking at the code, bad open source code can end up in a wide range of products and services.
“You can configure your machine so good, enable all of Azure’s security measures, but those security measures are exactly the ones that installed the vulnerable agent,” he said.