[German]Those responsible for Linux VMs under Microsoft Azure need to react immediately. Management agents have been silently installed, that have RCE and LPE vulnerabilities. The vulnerability, called OMIGOD, must be patched manually because there is no Azure update mechanism.
I became aware of the issue addressed by Wiz security researchers via the following tweet from Kevin Beaumont.
Four vulnerabilities in OMI agent
Security researchers from Wiz have recently come across a risk in open source code that can hit cloud service customers in particular. It revolves around the little-known software agent called Open Management Infrastructure (OMI). Open Management Infrastructure (OMI) is an open source project promoted by Microsoft in collaboration with The Open Group.
OMI is essentially the Windows Management Infrastructure (WMI) for UNIX/Linux systems. OMI can be used to collect data for statistics and synchronize configurations in the Linux environment. Thanks to the ease of use and abstraction that OMI provides, it is widely used by Azure services. That includes Azure Operations Management Suite (OMS)(OMS), Azure Insights and Azure Automation. The Wiz folks write:
When customers set up a Linux virtual machine in their cloud, the OMI agent is automatically installed without their knowledge when they enable certain Azure services. With unpatched versions of this agent, attackers can easily exploit four vulnerabilities to gain root privileges and execute malicious code remotely (e.g., to encrypt files for ransom).
However, the OMI agent runs with root privileges. If the HTTP API (or an HTTPS port) of a deployed Linux VM on Azure is accessible via the Internet, attackers could remotely exploit the four vulnerabilities listed below and operate as root. By default, the HTTPS ports should be active on both standalone Linux installations and Azure Configuration Management or System Center Operations Manager (SCOM). So the Linux VMs are open like a barn door to attackers. Security researchers have christened this quartet of 0-Days vulnerabilities OMIGOD (the first thought when the impact of the vulnerability was foreseeable.
Security researchers estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants analyzed by Wiz, over 65% were unknowingly compromised. Wiz security researchers reported the vulnerabilities to Microsoft.
Microsoft provides security updates
As of September 14, 2021, Microsoft has released the following CVEs for OMIGOD. A patch is available for each of the vulnerabilities listed below:
- CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8)
- CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)
- CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)
- CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)
The particularly explosive aspect is that Microsoft does not have an automatic update mechanism, so administrators of the VMs have to update the agents manually. Security researchers at Wiz strongly recommend that all Azure users ensure OMI is patched in their environment.
Who is affected?
Azure customers with Linux machines (i.e., more than half of all Azure instances) are at risk if any of the following services/tools are used.
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
Wiz security researchers note that the above list may be incomplete. In addition to Azure cloud customers, Wiz says other Microsoft customers are affected because OMI can be installed independently on any Linux machine and is often deployed on-premises. For example, OMI is integrated with System Center for Linux, Microsoft's server management solution.
OMI is updated via the parent Azure service that installed it. Wiz security researchers strongly recommend administrators verify that their environment is indeed patched and that they are using the latest version of OMI (version 220.127.116.11). In particular, System Center deployments of OMI are more at risk because the Linux agents are outdated. Customers still using System Center with OMI-based Linux may need to manually update the OMI agent.
Details about the current state of affairs, can be read in this post. The security researchers plan to update this post with more information as it becomes available.
Is it patched?
Kevin Beaumont points out in the following tweet that the whole thing is not really fixed.
If you set up a new VM with Linux, the OMI agent with the vulnerabilities is installed without prompting and notification.
Addendum: In this tweet it's shown, how to use Azure Security Center to identify machines vulnerable to OMIGOD vulnerability CVE-2021-38647.
Cookies helps to fund this blog: Cookie settings