The revelation of this week’s serious RCE vulnerability in the relatively unknown software agent OMI (Open Management Infrastructure) is eye-opening to many, and sheds a light on the perhaps overlooked topic of hidden risks. This specific hidden risk got silently installed by those using Microsoft Azure, which led to users now having to upgrade the agents they didn’t know existed and didn’t knowingly install themselves.
Though described by some as a vulnerability that you would expect to see in the 90’s, it’s no less dangerous because it feels out of time. As Azure provides virtually no public documentation about OMI, most people have never heard of it and are unaware that this attack surface exists in their environment.
And if you are unaware something exists, then how are you supposed to protect it?
What is OMI?
Open Management Infrastructure (OMI) is an open source project sponsored by Microsoft in collaboration with The Open Group. It is, in essence, comparable to Windows Management Instrumentation (WMI) for UNIX/Linux systems.
OMI allows you to gather statistics and sync configurations across your environment. It is easy to use and because of this, it is used extensively by Azure services, including Open Management Suite (OMS), Azure Insights, Azure Automation.
The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. It builds and runs today on most UNIX® systems and Linux. In addition to OMI’s small footprint, it also demonstrates very high performance.
What exactly happened?
On Tuesday, September 14th, researchers of the company ‘Wiz’ released information related to a series of Zero-days in the Microsoft open source project ‘Open Management Infrastructure’ (OMI). Three zero-days are privilege escalation vulnerabilities. Using these Zero-days, attackers can become root on a remote machine.
The fourth and most serious vulnerability allows remote code execution (RCE). If exploited (which again, only requires a single packet), this vulnerability will allow an attacker to become root on a remote machine by simply removing the authentication header.
Those at risk are Azure customers on Linux machines; however unfortunately it goes beyond that as well. Whilst we know certain specific Azure services / tools are affected (Azure Automation, Azure Log Analytics, etc), there might be additional Azure services.
On top of that, the vulnerability goes beyond just Azure, as OMI is an open source project that can also be independently installed on any Linux machine, potentially leaving other Microsoft customers affected as well.
Devices with OMI are vulnerable if they are not running the latest version: 220.127.116.11.
Patch OMI to the latest version and use your platform’s package tool to upgrade OMI (for example, ‘sudo apt-get install omi’ or ‘sudo yum install omi’), for more details see the Microsoft update guide.
But that covers just this particular issue, which leaves us with the question of: how does one handle hidden risks in general?
The answer to the question above is easy, and perhaps not what people want to hear. Sometimes, you need to plan to fail. The current fast, digital world comes with many dangers, threats and exploits and preparing for all of them is simply impossible.
You have to accept that one day, things might go wrong, but that doesn’t mean you can’t still prepare for that day.
By using advanced segmentation and data protection you can ensure that, even if things go wrong, you have everything in place to make sure that any potential damage is minimized. Zero Trust security lets you effectively reduce the area of your entire network that is subject to a potential attack.
The Zero Trust strategy doesn’t take anything for granted when it comes to trust, and neither should you. This way, you can plan to fail, minimize the damage of a potential attack and still rest despite knowing hidden risks are and always will be a thing.