critical

OMIGOD

Published Tue, Jun 1st, 2021

Platforms

Summary

Azure forces the install of an agent on Linux VMs, which contained a vulnerability that would grant root RCE if an attacker could send a web request to them. Initially, Microsoft did not update the agent automatically, and so customers had to patch manually, but a few days later they began patching some services remotely.

Affected Services

OMI

Remediation

None required, client needed to be auto-updated.

Tracked CVEs

CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, CVE-2021-38649

References

https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution

Contributed by https://github.com/0xdabbad00

Disclosure Date

Tue, Sep 14th, 2021

Exploitablity Period

Known ITW Exploitation

true

Detection Methods

OMI version < 1.6.8.1

Piercing Index Rating

8.66

(PI:1.5/A1:20/A2:1/A7:1/A8:1.1)

Discovered by

Nir Ohfeld, Wiz

More vulnerabilities...

medium

Privilege escalation in GCP OS Login

GCP provides an OS Login service for managing SSH access to compute instances using IAM roles. An attacker could abuse this feature via LXD, Docker (if available on the target system) and DHCP pois...

Chris Moberly

Wed, Mar 17th, 2021

medium

AWS CloudShell terminal escape

If attacker controlled data is viewed in Cloudshell it could have led to code execution. This exact same issue existed in Azure previously.

Felix Wilhelm, Google

Wed, Mar 10th, 2021

medium

Azure Linux VM extension credential leak

A vulnerability in the Azure Linux VM extension mechanism allowed an unprivileged user to leak any Azure VM extension’s private data. An attacker could have abused this to gain credentials for the ...

Paul Litvak (Intezer), Wout...

Tue, Mar 9th, 2021

View all