skout-blog

Cybersecurity Threat Advisory 0065-21: Microsoft Azure OMIGOD Vulnerability

Threat Update

Microsoft’s September 2021 Patch Tuesday addressed four major vulnerabilities that impact users of Microsoft’s Azure platform. They are tracked as CVE-2021-38647 and CVE-2021-38648. They are referred to as OMIGOD, referencing “Open Management Infrastructure,” the agent which makes Azure vulnerable to these attacks. The Mirai Botnet is currently exploiting these vulnerabilities. The scale for potential damage relating to this vulnerability is high, as Azure is a very widely used and trusted service worldwide. Barracuda MSP recommends applying patches to the effected services immediately to ensure that your network is no longer vulnerable to these exploits.

Technical Detail & Additional Information

WHAT IS THE THREAT?

CVE-2021-38647 – Remote Code Execution Vulnerability

  • This vulnerability comes in with a rating of 9.8. It is very severe as it could allow for unauthenticated users to execute arbitrary code with root level privileges. This is very dangerous as it could allow attackers to essentially execute any commands they want on a device.


CVE-2021-38648 – Privilege Escalation Vulnerability

  • This vulnerability is rated as a 7.8. This could have a similar outcome as the previous vulnerability, as users could potentially escalate privileges and obtain admin rights which would allow them to execute arbitrary code, commands, add/delete users, steal information, and more.

WHY IS IT NOTEWORTHY?

Microsoft Azure is widely used and trusted worldwide. The reported number of companies which use this platform exceeds the hundreds of thousands. Azure, as well as other Microsoft services, are integrated into everyday business at these companies worldwide. As a result of that, attackers are always looking to find ways to exploit devices using Microsoft. This is because the number of Microsoft devices that exist in all of these businesses makes the scope for potential targets on which they could exploit vulnerabilities very large. It is very important to take any recommendations released by Microsoft seriously and keep these devices/services updated. Attackers gaining the right to execute code or escalate privileges could lead to major damage.

WHAT IS THE EXPOSURE OR RISK?

The fact that Azure and Microsoft products are so widely used, make any vulnerability that has to do with these devices or services highly concerning, due to their integration into everyday businesses worldwide. These specific exploits could potentially allow attackers to execute remote code with root privileges, and escalate privileges. The Mirai botnet’s exploitation of these vulnerabilities makes the exploits even more dangerous. This could lead to several possible compromises, such as denial of service attacks, the deletion or creation of files and even complete system compromises. Many companies rely on sensitive data stored on their Azure platforms remaining private and being able to use the platform to conduct everyday business. These vulnerabilities put these expectations at potential risk if exploited by attackers, so it is very important to ensure Microsoft’s recommendations are followed.

WHAT ARE THE RECOMMENDATIONS?

  • This vulnerability is exploitable on Azure versions 1.6.8.0 and older. If you are running a version older than this, it is very important that you update to apply the patches immediately.
  • Additional measures are restricting access to or even closing management ports 5985, 5986 and 1270 (5985 and 5986 are also used for remote Powershell on Windows and this service is not vulnerable to these exploits) on Linux systems which expose those ports.
  • Keep an eye out for communications from unknown IPs to your environment, as over 80 IPs have been reported as trying to exploit these vulnerabilities.
  • Ensure that the VMs are deployed within a Network Security Group, or behind a perimeter firewall.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.