Event Summary
Four vulnerabilities have been identified in the Open Management Infrastructure (OMI) used for managing Linux and UNIX VM’s with Microsoft Azure implementations. Of these, the most severe vulnerability allows for Remote Code Execution (RCE), while the remaining three allow for privilege escalation on a vulnerable remote machine.
This set of vulnerabilities has been dubbed, “OMIGOD”. The vulnerabilities affect both on premise and Cloud deployments of Linux VM’s. Fortunately, VM’s are protected if deployed within a Network Security Group (NSG) or behind a perimeter firewall with restrictions to the OMI management ports.
Details
CVE-2021-38647 – OMI Remote Code Execution Vulnerability
CVE-2021-38645 – OMI Elevation of Privilege Vulnerability
CVE-2021-38649 – OMI Elevation of Privilege Vulnerability
CVE-2021-38648 – OMI Elevation of Privilege Vulnerability
Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VM’s.
Affected Versions of OMI: All OMI versions before v1.6.8-1 are vulnerable.
When a Linux VM machine is setup in Azure, the OMI agent is automatically deployed when certain Azure services are deployed.
Threat Actors are able to take advantage of CVE-2021-38647 and gain ROOT privileges on a remote system with a single crafted packet where the authentication header has been removed. This is possible if the OMI HTTPS management ports, 5986/5985/1270, are exposed externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM).
Recommendations
At this time, Microsoft has provided updates for DSC and SCOM to address the remote execution vulnerability. However, Microsoft has yet to deploy fixes for each service that uses the vulnerable OMI version. See the Microsoft blog detailing a fix schedule for the various services.
For VM’s deployed in the cloud, confirm that automatic extension updates are enabled. See the Microsoft instructions here to confirm the configuration of automatic updates. Microsoft will push updates to the cloud deployments automatically with no restart required.
For on premise, or system center deployments, the Linux agents have been deprecated and manual updates will need to be applied.
If a vulnerable version of the OMI is determined to be in use, confirm that the deployment is either behind a firewall or in a Network Security group. Block public access to the OMI ports TCP 5985, 5986 and 1270.
Please note: Ports 5985 and 5986 are used for PowerShell Remoting on Windows, but are not impacted by these vulnerabilities.
SOD Actions
We recommend following Microsoft’s recommendations for isolating any Linux/UNIX Azure VM from public access, enabling automatic extension updates for cloud deployments and implementing provided updates for Azure extensions on any System Center/on premise Linux VM Azure deployments.
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. SOD is not affected by this vulnerability.
Sources
Microsoft Security Response Center – OMI Vulnerabilities Guidance and Patch Schedule
CVE-2021-38647 – OMI Remote Code Execution Vulnerability
CVE-2021-38645 – OMI Elevation of Privilege Vulnerability
CVE-2021-38649 – OMI Elevation of Privilege Vulnerability
CVE-2021-38648 – OMI Elevation of Privilege Vulnerability
Microsoft Docs – Automatic Extension Upgrade configuration instructions
DARKReading – OMIGOD: Azure Users Warned of Critical OMI Vulnerabilities
