Full Report
Wiz finds Azure customers remain unpatched from cloud middleware vulnerability and collaborates with Microsoft to introduce an auto-patching solution against cloud middleware security issues and make the cloud safer
Analysis Summary
# Vulnerability: Local Privilege Escalation in Microsoft OMI (CVE-2022-29149)
## CVE Details
- CVE ID: CVE-2022-29149
- CVSS Score: Not explicitly provided, severity implied as significant due to LPE.
- CWE: Not explicitly provided in summary.
## Affected Systems
- Products: Microsoft Open Management Infrastructure (OMI), Azure Operations Management Suite (OMS) agent, Desired State Configuration (DSC) agent, Azure Diagnostics (LAD) agent.
- Versions: Applicable versions of OMI that were present before the June 2022 Patch Tuesday fixes.
- Configurations: Systems running Azure services that utilize OMI, such as Azure Automation, Azure Log Analytics, and Azure Sentinel.
## Vulnerability Description
CVE-2022-29149 is a local privilege escalation (LPE) vulnerability residing within the OMI (Open Management Infrastructure) software, which acts as cloud middleware, often installed by CSPs like Microsoft on Azure infrastructure to manage Linux/UNIX systems. Attackers who have gained local access can exploit this flaw to elevate their privileges.
## Exploitation
- Status: Exploitation validated by Wiz Research; details on prior use in the wild are not specified for this CVE, but the context implies risks associated with OMI vulnerabilities generally.
- Complexity: Implied to be manageable for a local attacker ("validated its exploitability").
- Attack Vector: Local (Requires prior access to the system).
## Impact
- Confidentiality: High (Implied by successful LPE leading to potential access to sensitive data).
- Integrity: High (Implied by successful LPE leading to unauthorized system modification).
- Availability: Medium (Potential for system instability or denial of service, though the primary impact of LPE is often confidentiality/integrity).
## Remediation
### Patches
- Microsoft released an update fixing CVE-2022-29149 as part of the June 2022 Patch Tuesday.
- The patch is delivered when dependent agents are updated:
- Azure Operations Management Suite (OMS) agent
- Desired State Configuration (DSC) agent
- Azure Diagnostics (LAD) agent
### Workarounds
- **Enable Automatic Extension Upgrade:** Customers are strongly urged to opt-in to the **Automatic Extension Upgrade** capability on Azure for the OMS, Azure Diagnostics, and DSC agents. This ensures that OMI (and the agents relying on it) are automatically patched when updates are released.
- **Migrate:** Customers are encouraged to migrate to the **Azure Monitoring Agent**, which does not rely on OMI.
## Detection
- The article suggests that specific management solutions can detect vulnerabilities in OMI automatically (though specific IoCs or signatures are not detailed in this summary).
- For technical details on detection instructions, refer to the Wiz technical blog regarding CVE-2022-29149.
## References
- Vendor advisory: Microsoft Security Update Guide for CVE-2022-29149 (details not provided, linked via MSRC page).
- Wiz Technical Analysis: wiz dot io/blog/omi-returns-lpe-technical-analysis/
- General Cloud Middleware Research: wiz dot io/blog/the-cloud-gray-zone-secret-agents-installed-by-cloud-service-providers/
- Agent Update Information (e.g., OMS/LAD): techcommunity dot microsoft com/t5/azure-observability-blog/auto-update-of-azure-log-analytics-agent-and-diagnostics/ba-p/3591380
- DSC Update Information: techcommunity dot microsoft com/t5/azure-governance-and-management/automatic-extension-upgrade-of-desired-state-configuration-dsc/ba-p/3591343