Azure Linux VMs Vulnerable Due to Pre-Installed Agents

Josh Stuifbergen

3 years ago

Update 1: OMI agent is not installed on Azure FireboxV/Cloud instances (September 17th, 2021):

We reviewed our FireboxV/Cloud instance for Azure and confirmed that the OMI agent cannot be installed on the image. We recommend reviewing the additional guidance Microsoft published on September 16th, 2021 for securing the OMI affected resources/tools.

Original Post (September 16th, 2021):

It has been several weeks since Wiz, a cloud infrastructure security company, published their Azure Cosmos DB vulnerability dubbed ‘ChaosDB’. They published a new Azure vulnerability on September 14^th, 2021, which affects Linux Virtual Machines (VMs) through the default agents installed on them. Wiz named the group of four vulnerabilities ‘OMIGOD’.

The Open Management Infrastructure (OMI) agent is comparable to the Windows Management Infrastructure (WMI) service. OMI agents gather statistics and sync configurations. By default, the OMI agents are installed on a large segment of Azure Linux VM instances. They can also be present in on-premises deployments. It’s understandable then that these vulnerabilities extend to a wide segment of Azures services.

A partial list of affected services and tools provided by Wiz:

Azure Automation
Azure Automatic Update
Azure Operations Management Suite (OMS)
Azure Log Analytics
Azure Configuration Management
Azure Diagnostics
Azure Container Insights

Microsoft published security patches for these vulnerabilities after receiving prior notice from Wiz. The significance of these OMI agents is attributed to them running at root privileges. This offers attackers a Privilege Escalation path through a lower privileged user. Those three Privilege Escalation vulnerabilities are CVE-2021-38648, CVE-2021-38645, CVE-2021-38649.

The fourth vulnerability, CVE-2021-38647, is an Unauthenticated Remote Code Execution (RCE) as root vulnerability. This garnered the most attention due to its serious nature and the simplicity of executing an attack. Several of the Azure services communicate to the OMI agents through open HTTP/S ports 5986, 5985, or 1270. Risky alone to leave these ports Internet accessible, the exploit to gain RCE is disappointingly simple. It only requires the attacker to send a single packet with the Authorization header removed in the POST request. Wiz provides additional detail in their blog post. Thankfully, most Azure services are deployed without those ports open (but not all).

We previously mentioned that Microsoft published patches for these vulnerabilities. Microsoft’s protection steps:

You need to add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs.
You can then use your platform’s package tool to upgrade OMI (for example, ‘sudo apt-get install omi’ or ‘sudo yum install omi’).

As of writing this post, there are still vulnerabilities present even after patching is done. Wiz noticed on September 15^th, 2021, that Azure is still deploying vulnerable versions of OMI to new Linux VMs. We recommend scanning your Azure environments to determine which services have exposed ports (5986, 5985, and 1270) and enabling any pertinent firewall rules to decrease external access.