Contents:
Microsoft addressed a number of critical vulnerabilities that were collectively known as OMIGOD.
The vulnerabilities were identified in the Open Management Infrastructure (OMI) software agent, which was quietly installed on more than half of Azure Linux machines.
Open Administration Suite (OMS), Azure Insights, and Azure Automation also utilize OMI, a software service for IT management that supports most UNIX systems and contemporary Linux platforms. OMI is used by many Azure services, including Open Management Suite (OMS), Azure Insights, and Azure Automation.
These specific vulnerabilities were discovered by the researchers at security company Wiz, Nir Ohfeld, and Shir Tamari.
Important security patch was released today for OMI- one of the secret agents installed by Microsoft on customers’ Linux VMs. Make sure to update OMI for the latest release (1.6.8.1) @wiz_io https://t.co/s2PIsAsQeo
— Shir (@shirtamari) September 14, 2021
According to BleepingComputer the researchers “conservatively estimate” the fact that probably thousands of Azure customers and millions of endpoints were impacted by these security flaws:
- CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8/10)
- CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8/10)
- CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8/10)
- CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0/10)
All the Azure customers that have Linux machines running one of the tools or services listed here are therefore exposed: Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics.
When users enable any of these popular services, OMI is silently installed on their Virtual Machine, running at the highest privileges possible. This happens without customers’ explicit consent or knowledge. Users simply click agree to log collection during set-up and they have unknowingly opted in.
OMIGOD vulnerabilities are however affecting Other Microsoft clients as well, as the OMI agent is embedded within Microsoft’s server management product, System Center for Linux, and could be manually configured on-premise.
This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints.
With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.
This vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it.
Secure Your Azure Linux Endpoint
Back in August Microsoft introduced an Enhanced Security commit in which it was, unfortunately, exposing all the details needed by the threat actors to develop an exploit.
Microsoft released a patched OMI version (1.6.8.1). In addition, Microsoft advised customers to manually OMI, see the suggested steps by Microsoft` here.
If you have OMI listening on ports 5985, 5986, 1270 we advise limiting network access to those ports immediately in order to protect from the RCE vulnerability (CVE-2021-38647).
It should be noted that there is no auto-update mechanism Microsoft can use to update the vulnerable agents on all Azure Linux machines, this meaning that customers will have to upgrade it manually in order to secure their endpoints from any incoming attacks that are employing the OMIGOD exploits.
A manual update, in this case, is the only way to go and here are the steps you need to take in order to update the OMI agent:
- Add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs
- You can then use your platform’s package tool to upgrade OMI (for example, sudo apt-get install omior sudo yum install OMI).