Cloud security vendor Wiz—which recently made news by discovering a massive vulnerability in Microsoft Azure’s CosmosDB-managed database service—has found another hole in Azure.
The new vulnerability impacts Linux virtual machines on Azure. They end up with a little-known service called OMI installed as a byproduct of enabling any of several logging reporting and/or management options in Azure’s UI.
At its worst, the vulnerability in OMI could be leveraged into remote root code execution—although thankfully, Azure’s on-by-default, outside-the-VM firewall will limit it to most customers’ internal networks only.
Opting in to any of several attractive Azure infrastructure services (such as distributed logging) automatically installs a little-known service inside the Azure virtual machine in question. That service, OMI—short for Open Management Interface—is intended to function much like Microsoft Windows’ WMI service, enabling collection of logs and metrics as well as some remote management.
Part of the OMI specification requires authentication in order to bind commands and requests to a specific user ID (UID)—but unfortunately, a bug caused malformed requests that omit the authentication stanza entirely to be accepted as though given by the
root user itself.
When configured for remote management, OMI runs an HTTPS server on port 5986, which can be connected to with a standard HTTPS client like
curl and given reasonably human-readable commands in the XML-derived SOAP protocol. In other configurations, OMI only runs on a local Unix socket at
/var/opt/omi/run/omiserver.sock, which limits its exploitation to local users only.
As Wiz senior security researcher Nir Ohfeld walked me through a demonstration of the vulnerability, he described it mostly in terms of privilege escalation—an attacker who gets any toehold on an affected virtual machine can issue any arbitrary command as root using OMI syntax.
In larger environments where OMI listens on a network port, not just a local Unix socket, it’s also a great way to laterally pivot—an attacker who gets a shell on one VM in a customer’s Azure local network can typically use the buggy OMI to get control of any other virtual machine on the same network segment.
As it turns out, Azure isn’t the only place you’ll find OMI. Organizations that adopt Microsoft System Center (which gets advertised on every new install of Windows Server 2019 and up) and manage on- or off-premise Linux hosts with it also end up with the buggy version of OMI deployed on those managed hosts.