“Secret Agent” Virus Is Putting Computer Owners At Risk

(JustPatriots.com)- As if cloud services weren’t complicated enough, cloud providers maintain a layer of middleware that can hide security problems.

Wiz.io researchers unveiled an open-source cloud middleware database on GitHub last week at RSA Conference in San Francisco. The database specifies the middleware agents that AWS, Google, and Microsoft deploy on their cloud clients’ virtual machines.

The idea is to shed light on this usually hidden proprietary software layer and its potential software faults that can put cloud customers in danger.

Cloud providers install “secret agent” middleware on customers’ virtual machines with the highest privileges as a “bridge” between their cloud services and customers’ VMs.

Wiz.io’s chief of research, Shir Tamari, said at the RSA Conference last week that cloud clients don’t know about these agents because most are silently installed. If pre-installed, they don’t know.

The most well-known instance of cloud middleware gone awry was when Microsoft Azure’s Open Management Infrastructure (OMI) agent software was found to contain serious weaknesses last fall. Tamari and his colleague researchers in Azure discovered major privilege escalation and remote execution vulns, collectively known as OMIGOD. For the purpose of offering configuration management features to cloud users, OMI runs on several Linux VMs on Azure.

CVE-2021-38647 allowed an attacker to get root on a VM with a single transmission by stripping the authentication header. OMI’s HTTPS management port was exposed to the Internet by default. Microsoft released auto-updates for Azure to fix the weaknesses after first issuing patches that most Azure customers didn’t know applied to them.

Tamari stated middleware patching was confusing.

The Cloud Middleware Dataset includes Microsoft Azure Guest Agent (WALinuxAgent), which is preconfigured in all Azure Linux images and has root capabilities.
How can organizations find these “hidden agents”?

Wiz co-founder and CTO Ami Luttwak said enterprises should ask cloud providers about their software environment: They should ask whose middleware it is and how you know whether it’s operating on your environment.

Does the software include vulnerabilities, and how are updates and fixes handled?