Microsoft Azure silently install management agents on your Linux VMs, which now have RCE and LPE vulns.

Microsoft don’t have an auto update mechanism, so now you need to manually upgrade the agents you didn’t know existed as you didn’t install them. wiz.io/blog/secret-ag…
Microsoft also need to fix this one. The OMSagent (Sentinel etc) has an LPE to root. Image
I would tend to take the view MS needs to fix this stuff as it is embarrassingly risky for customers.
I just spun up a brand new Linux VM in Azure, enabled monitoring, and then checked for OMIGOD vulnerability... it's still vuln.

MS fixed it in 1.6.8.1, however they aren't installing the patched version. Single HTTP request RCE, ahoy! ImageImageImage
Here's me exploiting it remotely on a newly provisioned (today) Azure VM with a single curl request, it's essentially ended up as a zero day as it hasn't been fixed in Azure. Image
Shodan search to find these (they always use port + cloudapp certificate).

There are 15,700 online with no auth RCE including with US Gov and such in hostnames, this looks like a big problem waiting as you land behind vNets. beta.shodan.io/search/report?…
As an example of the scale of problem. MS need to fix this somehow, automatically, on all customers systems where they installed it - before an exploit goes public. ImageImage
God @GreyNoiseIO are quick :D Image
Word on the street is Microsoft are aware of the severity of the issue and are trying to address.

A new Azure VM I spun up tonight still has the vuln agent, so there’s a bunch of work to do.

It’s really easy to exploit.
Also if you use Azure Sentinel or Defender for Endpoint for Linux, you will probably get instructions later.
Lol, my OMIGOD test box is now running a coin miner. It’s officially a vuln now, we should retire CVEs and go for Doge numbers.
I’m going to release a public exploit for this when I get time, hopefully it will be the boot up the arse to get it fixed properly.
There’s a working exploit for #OMIGOD now, if you want to own your Azure VMs. HT @HackingLZ

$ python3 omigod. py -t 10.0.0.5 -c id
uid=0(root) gid=0(root) groups=0(root)

github.com/horizon3ai/CVE…
Obviously the number one mitigation is don’t allow everything in from the internet. Vnets allow traffic inside vnet so good for lateral movement within an org.

Many people replied saying their OMI version is years behind, the vuln is indeed years old so footprint probably big.
An update - I deployed a new Azure VM and it is finally not vulnerable!

My VM deployed yesterday is still not patched.

Below is the new VM. Image
Mirai botnet is exploiting #OMIGOD - they drop a version of Mirai DDoS botnet and then close 5896 (OMI SSL port) from the internet to stop other people exploiting the same box.
Azure abuse team webcam.
Yep, Azure Log Analytics still deploys the vuln version of OMI on VMs. Incredible stuff.
Some good news is:

- The Mirai botnet attempts to exploit this are currently hobbled by them not being able to understand a GitHub PoC.

- The number of truly internet exposed hosts is likely low, as it is denied by default (unless you open it up).
Obviously it’s problematic for enterprises as traffic is allowed inside vNets (so, zero effort lateral movement if you didn’t zone things out well).
Oh Mirai fixed their binary, it now supports proper OMIGOD exploitation. Given Mirai can enter networks and spread laterally via multiple vulns, this might be problematic. cadosecurity.com/azure-omi-vuln…
Greynoise confirm they’re seeing Mirai exploiting #OMIGOD in the wild now.
BadPackets seeing exploitation of #OMIGOD too, this time on port 1270.
“For any PaaS service offerings that use the vulnerable VM extensions for Linux as part of the default service offering, Microsoft will be updating the extension on the affected VM’s transparently for the customer.”

MSRC have updated blog again overnight msrc-blog.microsoft.com/2021/09/16/add…
To translate that, as an example if you enabled Log Analytics or Sentinel on an Azure VM you will get an patched by Tuesday.

“Automatic updates will be enabled and completed by 9/22/2021.”

Absolutely should reduce attack surface, as orgs didn’t know they had OMI on Azure VMs.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kevin Beaumont

Kevin Beaumont Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @GossiTheDog

17 Sep
It feels redundant saying anything about MS and security related as it’s a bit stop-it-hes-dead.gif, but here’s the disclosure timeline for #OMIGOD.

After almost 4 months, Microsoft still haven’t got automatic patching working for customers. 🤷‍♀️

wiz.io/blog/omigod-cr… Image
One of my concerns here would be OMI will sit on millions of endpoints, it’s installed by Microsoft, it includes a CVSS 9.8 score unauth RCE, it sits in Azure which is a primary cash cow for MS… and MS seem to be completely unprepared after 4 months.
So in sentence my concern would be, this smells like dead bodies everywhere in Azure. Hopefully it is the exception rather than the rule.
Read 4 tweets
16 Sep
What may be a Chinese APT broke into one of my honeypot orgs with ProxyShell.

This will definitely be burning this honeypot, but in the public good. Hashes follow in thread. No analysis yet as busy with work.

Had a custom IIS module backdoor, Mgbot (UDP backdoor) etc.
17e9812fdecd88dd33e9a9ea5320e93f
82061bdfb4b3071ac43c97db103f980b (Mgbot config)
669c3cac24e1f5aaf69d2d8427255b18 (IIS tampering config)
a0560bd41f2b2d526587537254a0d1be (agent batch)
950e971d50d739e03bcf85ca768051b3 (Xwizards)
739d8c5947c03e796cc98a3076a789fc
C2, MG traffic

222.239.80.235 UDP port 25899
Read 9 tweets
15 Sep
“I submitted this to secure@microsoft.com on the 22 May 2018, but received a response advising I raise an issue here”

👀
The OMS Agent GitHub is a maze of open security vulns, there’s threads going back years unanswered.
If you talk to MS support about it they will tell you MS OMS isn’t supported, however several of their security products are built on it (and will auto install it on Azure).

They appear to have EOL’d their own security stack while requiring customers install it, which is bold.
Read 4 tweets
14 Sep
Does anybody know if there's any new security features in Windows 11?

I don't count TPM, HVCI as those features were in Windows 10.
This is a serious question, already have TPM, HVCI, VBS etc so trying to figure out how to build a business case for Windows 11.

It launches soon so I'm guessing there's a webpage I'm missing.
I want to believe there's a ton of new security features in Windows 11 and MS have just not written them down in the marketing.
Read 5 tweets
7 Sep
This one is legit and is going to be worse than the Equation Editor CVEs (which make up almost all endpoint exploitation still), so strap in.
Microsoft’s guidance for this requires you to be running their AV and EDR tooling, directs you to definitions 1.349.22.0 which I suspect is a typo (they’re on .222), and says if you run Defender you do not need to take additional action. EDR in block mode isn’t default..
So if you’re Microsoft EDR but not AV (actually a majority of customers, btw) nothing is blocked, unless you set EDR to block mode.
Read 18 tweets
6 Sep
There’s a good thread on ProtonMail here. When services say they don’t keep logs, laugh. Businesses are businesses and will business when the police turn up.
They comply with Swiss legal requests, which includes on VPN logs by the way.
They've published a blog: protonmail.com/blog/climate-a…

I think one thing it highlights is @ProtonMail have a blog about how brilliant Swiss laws are for privacy... but this case shoots holes throughout their marketing as it was a climate change activist. Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(