• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Azure Linux VMs Vulnerable Due to Pre-Installed Agents

September 16, 2021 By Josh Stuifbergen

Update 1:  OMI agent is not installed on Azure FireboxV/Cloud instances (September 17th, 2021):

We reviewed our FireboxV/Cloud instance for Azure and confirmed that the OMI agent cannot be installed on the image. We recommend reviewing the additional guidance Microsoft published on September 16th, 2021 for securing the OMI affected resources/tools.

Original Post (September 16th, 2021):

It has been several weeks since Wiz, a cloud infrastructure security company, published their Azure Cosmos DB vulnerability dubbed ‘ChaosDB’. They published a new Azure vulnerability on September 14th, 2021, which affects Linux Virtual Machines (VMs) through the default agents installed on them. Wiz named the group of four vulnerabilities ‘OMIGOD’.

The Open Management Infrastructure (OMI) agent is comparable to the Windows Management Infrastructure (WMI) service. OMI agents gather statistics and sync configurations. By default, the OMI agents are installed on a large segment of Azure Linux VM instances. They can also be present in on-premises deployments. It’s understandable then that these vulnerabilities extend to a wide segment of Azures services.

A partial list of affected services and tools provided by Wiz:

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics
  • Azure Container Insights

Microsoft published security patches for these vulnerabilities after receiving prior notice from Wiz. The significance of these OMI agents is attributed to them running at root privileges. This offers attackers a Privilege Escalation path through a lower privileged user. Those three Privilege Escalation vulnerabilities are CVE-2021-38648, CVE-2021-38645, CVE-2021-38649.

The fourth vulnerability, CVE-2021-38647, is an Unauthenticated Remote Code Execution (RCE) as root vulnerability. This garnered the most attention due to its serious nature and the simplicity of executing an attack. Several of the Azure services communicate to the OMI agents through open HTTP/S ports 5986, 5985, or 1270. Risky alone to leave these ports Internet accessible, the exploit to gain RCE is disappointingly simple. It only requires the attacker to send a single packet with the Authorization header removed in the POST request. Wiz provides additional detail in their blog post. Thankfully, most Azure services are deployed without those ports open (but not all).

From Wiz
Image From Wiz

 

We previously mentioned that Microsoft published patches for these vulnerabilities. Microsoft’s protection steps:

  • You need to add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs.
  • You can then use your platform’s package tool to upgrade OMI (for example, ‘sudo apt-get install omi’ or ‘sudo yum install omi’).

As of writing this post, there are still vulnerabilities present even after patching is done. Wiz noticed on September 15th, 2021, that Azure is still deploying vulnerable versions of OMI to new Linux VMs. We recommend scanning your Azure environments to determine which services have exposed ports (5986, 5985, and 1270) and enabling any pertinent firewall rules to decrease external access.

Share This:

Related

Filed Under: Editorial Articles Tagged With: azure, linux, Microsoft, OMI, OMIGOD

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use