Security News > 2021 > September > Azure Zero-Day Flaws Highlight Lurking Supply-Chain Risk
Four Microsoft zero-day vulnerabilities in the Azure cloud platform's Open Management Infrastructure - a software that many don't know is embedded in a host of services - show that OMI represents a significant security blind spot, researchers said.
Though Microsoft patched them this week in its monthly Patch Tuesday raft of updates, their presence in OMI highlights the risk for the supply chain when companies unknowingly run code - particularly open-source code - on their systems that allows for exploitation, researchers said.
"One of the biggest challenges in preventing them is that our digital supply chain is not transparent," senior security researcher Nir Ohfeld wrote in the Wiz post.
Hidden Cloud Security Danger in OMI. One reason for the significant alarm over the flaws is that they are found in OMI, an agent automatically deployed when customers set up a Linux virtual machine in their cloud and enable certain Azure services, researchers explained.
CVE-2021-38647, with a 9.8 severity rating, is the most serious of the flaws, allowing for RCE. However, for it to be exploited, the Azure product using OMI would have to be one, such as Configuration Management, that exposes an HTTPS port, or port 5986, for interacting with OMI. "That's what makes RCE possible," Ohfeld explained.
In situations where the OMI ports are accessible to the internet to allow for remote management, threat actors can use the vulnerability co-obtain initial access to a target Azure environment and then move laterally within it, Ohfeld added.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-09-15 | CVE-2021-38647 | Improper Authentication vulnerability in Microsoft products Open Management Infrastructure Remote Code Execution Vulnerability | 9.8 |