Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Microsoft Azure services might be patched for this well-known Open Management Infrastructure (OMI) vulnerability, lowering the likelihood of an attack. But simple exploit code is publicly available for attacking vulnerable Azure services. An attacker can gain control of an Azure virtual machine (VM) with root privileges and attempt to compromise more targets across a network.
Kill Chain
Risk Score
78
OMI is a software agent that enables remote management by Microsoft Azure services on Linux VMs. The OMI agent is installed by default on Linux VMs by certain Azure services (also known as VM management extensions) such as Azure Diagnostics and Azure Automation. The OMI agent is vulnerable to remote code execution (RCE), allowing an unauthenticated attacker to run malicious code on the VM. The attacker creates a specially designed HTTP POST request, which omits the Authorization header, to a /wsman endpoint on an open OMI port for remote management (1). The OMI agent sends a response to indicate that the POST request was accepted (2) and runs malicious code in the request with root privileges on the VM. The attacker can access the VM, run commands with elevated privileges, and compromise new target VMs on the network.
