ANNOUNCEMENT: Security On-Demand Announces ThreatWatch Response and Remediation Service | SEE RELEASE
HR Photos for Marina (2)

Critical OMI Vulnerabilities in Linux Azure VM Deployments

17 September, 2021

Event Summary

Four vulnerabilities have been identified in the Open Management Infrastructure (OMI) used for managing Linux and UNIX VM’s with Microsoft Azure implementations.  Of these, the most severe vulnerability allows for Remote Code Execution (RCE), while the remaining three allow for privilege escalation on a vulnerable remote machine.

This set of vulnerabilities has been dubbed, “OMIGOD”.  The vulnerabilities affect both on premise and Cloud deployments of Linux VM’s.  Fortunately, VM’s are protected if deployed within a Network Security Group (NSG) or behind a perimeter firewall with restrictions to the OMI management ports.

Details

CVE-2021-38647 – OMI Remote Code Execution Vulnerability

CVE-2021-38645 – OMI Elevation of Privilege Vulnerability

CVE-2021-38649 – OMI Elevation of Privilege Vulnerability

CVE-2021-38648 – OMI Elevation of Privilege Vulnerability

Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VM’s.

Affected Versions of OMI: All OMI versions before v1.6.8-1 are vulnerable.

When a Linux VM machine is setup in Azure, the OMI agent is automatically deployed when certain Azure services are deployed.

Threat Actors are able to take advantage of CVE-2021-38647 and gain ROOT privileges on a remote system with a single crafted packet where the authentication header has been removed.  This is possible if the OMI HTTPS management ports, 5986/5985/1270, are exposed externally.  This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM).

Recommendations

At this time, Microsoft has provided updates for DSC and SCOM to address the remote execution vulnerability. However, Microsoft has yet to deploy fixes for each service that uses the vulnerable OMI version.  See the Microsoft blog detailing a fix schedule for the various services.

For VM’s deployed in the cloud, confirm that automatic extension updates are enabled.  See the Microsoft instructions here to confirm the configuration of automatic updates. Microsoft will push updates to the cloud deployments automatically with no restart required.

For on premise, or system center deployments, the Linux agents have been deprecated and manual updates will need to be applied.

If a vulnerable version of the OMI is determined to be in use, confirm that the deployment is either behind a firewall or in a Network Security group.  Block public access to the OMI ports TCP 5985, 5986 and 1270.

Please note: Ports 5985 and 5986 are used for PowerShell Remoting on Windows, but are not impacted by these vulnerabilities.

SOD Actions

We recommend following Microsoft’s recommendations for isolating any Linux/UNIX Azure VM from public access, enabling automatic extension updates for cloud deployments and implementing provided updates for Azure extensions on any System Center/on premise Linux VM Azure deployments.

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. SOD is not affected by this vulnerability.

Sources

Microsoft Security Response Center – OMI Vulnerabilities Guidance and Patch Schedule

CVE-2021-38647 – OMI Remote Code Execution Vulnerability

CVE-2021-38645 – OMI Elevation of Privilege Vulnerability

CVE-2021-38649 – OMI Elevation of Privilege Vulnerability

CVE-2021-38648 – OMI Elevation of Privilege Vulnerability

Microsoft Docs – Automatic Extension Upgrade configuration instructions

DARKReading – OMIGOD: Azure Users Warned of Critical OMI Vulnerabilities