Microsoft Azure users running Linux virtual machines in the IT giant’s Azure cloud should take steps to protect against the four “OMIGOD” bugs in the Open Management Infrastructure (OMI) framework, because Microsoft failed to comply. rushed to do it for them.

As The register Described in our Patch Tuesday report this month, Microsoft has included fixes for Wiz security vulnerabilities spotted in OMI. Wiz named the four OMIGOD faults because they are amazing.

The least serious of the defects is rated 7/10 on the Common Vulnerability Scoring System. The worst is rated critical at 9.8 / 10.

To complicate matters, running OMI isn’t something Azure users actively choose.

As Wiz explained, “When customers configure a Linux virtual machine in [Azure], the OMI agent is automatically deployed without their knowledge when they activate certain Azure services.

“Unless a patch is applied, attackers can easily exploit these four vulnerabilities to root privileges and remotely execute malicious code (for example, encrypt files for ransom). “

In the face of this threat, it seems reasonable to expect Microsoft to patch all OMI agents it deploys and update virtual machines running vulnerable versions. This is the sort of thing cloud operators typically do – and do it quietly before vulnerabilities are made public, so attackers don’t make their way to town.

Microsoft did not do it on this occasion. This is because the super-corps continued to deploy bad, known versions of OMI when users create new Linux virtual machines.

The latest advice from Windows goliath, dated September 16, reads: “Customers should update vulnerable extensions for their cloud and on-premises deployments as updates become available on schedule. shown in the table below. “

Poor formatting means the table is wider than the section of Microsoft’s webpage, so quite a bit of side and vertical scrolling is required to learn that automatic updates have been enabled for six of the Azure services affected by the bugs. . But seven other services require manual updates. And even then, the automatic updates are a gradual rollout during this month, not an immediate one.

It is up to you to make sure that you are running the latest OMI software on your Linux guests; a vulnerable build may have been injected into the virtual machine if you have enabled some services (see table above.)

Naturally, Microsoft’s actions – or the lack thereof – did not go well.

They also failed to update their own systems in Azure to install the patched version on new VM deployments. It is frankly breathtaking.

– Kevin Beaumont (@GossiTheDog) September 16, 2021

Researchers quickly found uncorrected instances of OMI.

Security provider Censys, for example, wrote that it had found “56 known exposed services around the world that are likely vulnerable to this problem, including a large healthcare organization and two large entertainment companies.”

Fortunately, the company has also found that “mass external exposure, as seen with other hosts in the past (Microsoft Exchange comes to mind) does not appear to be present in this case.”

In other words, there may not be as many machines vulnerable to the public Internet.

That said, the method needed to exploit the flaw is so simple that attacks surely won’t be long in coming. We’ve already seen a public proof of concept exploit code.

Sophos’ description of the flaw explains the danger:

So your next step is obvious: patch as soon as possible. Because, as Censys puts it, “these issues would easily allow compromises with the highest possible privileges in any host running OMI.” ®