Microsoft Azure Services Bug Let Hackers Gain Root Access on Cloud When Users Setup on Linux VM

The security research team of Wiz has detected a series of dangerous vulnerabilities in Microsoft Azure Services that enable the threat actors to gain root access on Linux virtual machines when set up in their Azure cloud.

The main source of the dilemma is a software agent called Open Management Infrastructure (OMI) that has been installed in various modern as well as famous Azure services.

There are four security flaws in the OMI client, and all these security flaws could easily enable the threat actors to hijack Azure Linux VMs.

These vulnerabilities are highlighted with the supply chain uncertainty of open source code, and it will hamper the customers of cloud computing services.

Researchers also said that they have found wide active exploitation attempts of OMIGOD by malicious DDoS botnets (Mirai) and cryptominers.

“When customers set up a Linux virtual machine in their cloud, the OMI agent is automatically deployed without their knowledge when they enable certain Azure services,” Wiz said.

This is not the first time that Wiz was capable to resolve some vulnerability inside the system of Microsoft Azure. Not only this but the security analysts have also revealed the actual amount of risk that has been brought upon by Azure Cosmos DB.

However, this kind of attack generally affects many prominent companies such as:-

  • Rolls Royce
  • Coca-Cola
  • Mercedez Benz
  • Siemens
  • Symantec

Bugs open Azure environments to easy takeovers

Here we have mentioned the four security flaws:

  • CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8)
  • CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)
  • CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)
  • CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)

Who is vulnerable?

All these Linux machines probably use the on-premise features. And the most important point is that OMI is not solely used for Microsoft Azure, as the big giants like Google Cloud Platform and Amazon Web Services are also using it commendably.

Microsoft declared that Azure customers on Linux machines are at risk that generally depends over half of all Azure instances. Not only this but there are other Microsoft customers who are also got affected because the OMI can be freely be installed on any kind of Linux machine.

Attack surface

Among the four security flaws, three of the zero-days are denominated as privilege escalation vulnerabilities. All these kinds of vulnerabilities allow the threat actors to obtain the highest privileges on a Linux VM machine with OMI installed. 

However, the fourth vulnerability is one of the dangerous among all, and it enables remote code execution (RCE). Not only this but this vulnerability can be also utilized by the threat actors to gain initial access to a target Azure environment.

No auto patching mechanism

Microsoft has released patches for these four critical OMI vulnerabilities, but, on the other side, there’s no built-in auto-update mechanism in the app.

  • CVE-2021-38647  Open Management Infrastructure Remote Code Execution Vulnerability
  • CVE-2021-38648  Open Management Infrastructure Elevation of Privilege Vulnerability
  • CVE-2021-38645  Open Management Infrastructure Elevation of Privilege Vulnerability
  • CVE-2021-38649  Open Management Infrastructure Elevation of Privilege Vulnerability

It implies that the maximum number of Azure Linux VMs are still remained vulnerable to threat attacks until and unless every user manually updates the client themselves. 

As there are many users who don’t know regarding the app that has been installed on their system, so, that’s why it will take time to understand and to grasp the details.


Apart from the patches, Microsoft has affirmed that in case of users have OMI listening on ports 5985, 5986, 1270, then they recommend reducing network access to those ports as soon as possible, as it will help them to keep protected themselves from the RCE vulnerability (CVE-2021-38647).

Moreover, all the users of Azure should always use the current OMI version, as it comes with security patches.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.