Microsoft’s latest guidelines regarding the recently disclosed OMI vulnerabilities (opens in new tab) has put the onus on users to patch many of the affected Azure (opens in new tab) services.
The September Patch Tuesday (opens in new tab) bundle shipped with fixes for four zero-day vulnerabilities in the open source (opens in new tab) software agent named Open Management Infrastructure (OMI), which is automatically deployed inside Linux (opens in new tab) virtual machines (VM) when users enable certain Azure services.
However, instead of patching all affected Azure services, Microsoft has put an advisory (opens in new tab) stating that while it’ll update six of them, seven others must be updated by users themselves.
- We've built a list of the best cloud computing (opens in new tab) services available
- These are the best endpoint protection tools (opens in new tab)
- Check our list of the best firewall apps and services (opens in new tab)
“Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below...For cloud deployments with auto update turned on, Microsoft will actively deploy the updates to extensions across Azure regions as per the schedule in the table below,” reads the advisory.
High and dry
The Register points out that Microsoft’s handling of the situation hasn’t gone down well with security researchers.
“They’ve also failed to update their own systems in Azure to install the patched version on new VM deployments. It’s honestly jaw dropping,” tweeted (opens in new tab) security researcher Kevin Beaumont.
Since Microsoft has left it upon users to patch the impacted services, it didn’t take researchers long to discover vulnerable instances.
“There are 56 known exposed services worldwide that are likely vulnerable to this issue, including a major health organization and two major entertainment companies,” wrote (opens in new tab) security vendor Censys after performing an impact assessment.
While the number seems small, Censys reasons it’s probably because of how the OMI service responds to such scans, or perhaps because exposing OMI to the internet likely requires deliberate effort.
In any case, since exploiting the vulnerability is a “laughably easy trick (opens in new tab)” according to Sophos, security researchers strongly urge users to patch any vulnerable OMI-using services in their Azure deployments without delay.
- Protect your devices with these best antivirus software (opens in new tab)
Via The Register (opens in new tab)