SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Microsoft Azure alert for authentication bypass vulnerability in Linux products
Fri, 17th Sep 2021
FYI, this story is more than a year old

A critical alert is being distributed to Microsoft Azure customers regarding an authentication bypass vulnerability in Open Management Infrastructure (OMI), an open source software agent used to perform remote management on Linux-based products.

A patch is currently available for this vulnerability, however given the nature of the software, many sysadmins are potentially unaware they have the OMI product installed and are therefore at risk.

Microsoft announced an update to one of its Linux products on Patch Tuesday, fixing a bug known formally as CVE-2021-38647, but informally dubbed "OMIGOD".

The nickname is a pun coined by Wiz, the company that discovered the flaw along with three others, and plays on the fact that the affected product is called Microsoft OMI, short for Open Management Interface.

But the soubriquet also has a serious side that's intended as a reminder that this bug could be very dangerous if left unpatched, according to Sophos.

Simply put, it's an "authentication bypass" flaw that is quite literally a bypass - instead of guessing at the necessary authentication token (essentially a session password), you scrupulously avoid mentioning authentication at all, and the fact that you've left out your authentication attempt entirely causes the server to leave out its authentication check entirely.

 "It's a bit like being able to sneak through passport control by carefully showing up with no ID whatsoever," says Paul Ducklin, Principal Research Scientist at Sophos.

"Imagine that instead of the border guards checking that you did have genuine ID, they merely checked that you didn't have any fake ID on you. Arrive empty handed, and you'll always pass that sort of test."

The good news is that the bug is fixed, and that the patch has been available in Microsoft's open source repository for over a month already.

But the bad news is that some sysadmins might not realise they have the OMI product installed at all.

According to Wiz, they've identified several different Microsoft Azure services that, if selected at setup time (ironically, one of them is a tool called "Azure Automatic Update"), will install OMI automatically as a sort of silent partner. You therefore might not have the patch yet because you're unaware that you need it.

"If this security hole can be poked by attackers from outside your network," warns Ducklin, "it doesn't just get them in remotely, but it gets them in with 'root' powers, gifting them the same sort of system-wide access level that crooks from ransomware gangs would pay good money for. So don't delay... check your servers today!"

Microsoft this week pushed software updates to plug security gaps in its Windows software and related products, including a vulnerability that is already being exploited in active attacks.

The company released more than 60 security fixes and updates resolving issues including a remote code execution (RCE) flaw in MSHTML and other critical bugs.