Microsoft to Azure Linux users: Patch this problem yourself

Microsoft Azure Hero 4
Microsoft Azure Hero 4 (Image credit: Microsoft)

What you need to know

  • Recently exposed Azure Linux vulnerabilities leave users vulnerable to having their Azure environments infiltrated by attackers.
  • These bugs, dubbed OMIGOD (a reference to the Open Management Infrastructure software agent), are found in OMI, which is installed on Virtual Machines (VMs) when a number of popular Azure services are enabled.
  • While Microsoft has released a patched version of OMI, the responsibility of installing said update falls on the user.

Azure Linux administrators, it's time to get patching. In response to the recent OMIGOD vulnerabilities, Microsoft has released an updated version of OMI, but you'll need to upgrade on your own (via BleepingComputer). Here's the full scoop.

OMIGOD vulnerabilities are named after OMI, an acronym that stands for the Open Management Infrastructure software agent. The OMIGOD vulnerabilities found in OMI have opened the door for RCE (Remote Code Execution) attacks from malicious parties. And if you're an Azure user operating on a Linux setup with a service such as Azure Diagnostics or Azure Automation enabled, that means you have OMI on your Virtual Machine.

Microsoft, aware of the issues, has released an updated version of OMI that hopes to fix the aforementioned problems. Here's the wrinkle: It can't auto-update vulnerable extensions for the customer. They'll need to do that themselves.

"Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below," Microsoft said in its blog post (opens in new tab) on the subject. You can read the post for expanded details and the full scoop on how Azure Linux users are affected.

As spotted by The Register, security experts appear to be displeased with the current situation.

See more

For those of you who have read this far and still aren't sure how this all pertains to your personal computing activities, feel free to disregard everything here and focus on other Microsoft news, such as the impending launch of Windows 11.

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to

1 Comment
  • "Astonishingly, the bug seems to boil down to a laughably easy trick. Rather than guessing a valid authentication token to insert into a fraudulent OMI web request, you simply omit all mention of the authentication token altogether, and you’re in!". Source: I guess at this point it will take a class action law suit for Microsoft to rehire the Quality Assurance (QA) Department and Programmatic testers... 🤦‍♂️🤦‍♂️ Since OMI gets installed by default when certain Azure services are enabled... "When customers set up a Linux virtual machine in their cloud, the OMI agent is automatically deployed without their knowledge when they enable certain Azure services." Short Note: this is a linux based bug, not windows but still it's a mess. From first link: "The bug in brief Greatly simplified, OMI is Microsoft’s Linux-based answer to WMI, the Windows Management Interface that sysadmins use to keep tabs on their Windows networks. Like WMI, the OMI code runs as a priviliged process on your servers so that sysadmins, and system administration software, can query and control what’s going on, such as enumerating processes, kicking off utility programs, and checking up on system configuration settings. Unfortunately, cybercrooks, epecially ransomware criminals, love WMI just as much as sysadmins. That’s because WMI helps attackers to plan and execute their destructive attacks across a whole organisation, once they’ve got an Administrator-level beachhead somewhere on the network. Sadly, OMIGOD is an OMI bug that, in theory, offers criminals the same sort of distributed power over your Linux servers… …except that you don’t need that Administrator-level beachhead first, because CVE-2021-38647 basically provides a beachhead all of its own, letting you break in, get root, and take over, all in one go."