On September 14, 2021, Microsoft disclosed that multiple vulnerabilities—including both unauthenticated remote code execution (RCE) and local privilege escalation (LPE)—existed within the Open Management Infrastructure (OMI) for Azure Linux virtual machines. The OMI agent is automatically installed on Azure Linux Virtual Machines when particular Azure services are enabled.
The vulnerabilities were privately disclosed to Microsoft and not thought to have been exploited in the wild. Microsoft has already released a patch and guidance that can be found here on how to configure your virtual machine to retrieve the update.
Alert Logic's products and infrastructure are not affected by this vulnerability.
The four vulnerabilities, dubbed “OMIGOD” by the Wiz.io Security Researchers who discovered them, were assigned the following CVE numbers:
- CVE-2021-38649 – LPE Vulnerability
-CVSS 3.0 score: 7.0 / 6.1
- CVE-2021-38648 – LPE Vulnerability
-CVSS 3.0 score: 7.8 / 6.8
- CVE-2021-38647 – Unauthenticated RCE Vulnerability
-CVSS 3.0 score: 9.8 / 8.5
- CVE-2021-38645 – LPE Vulnerability
-CVSS 3.0 score: 7.8 / 6.8
The OMI agent is automatically installed when any of the following Azure tools or services are leveraged. Microsoft has not published an extensive list of which services install the OMI agent, but the Wiz.io disclosure notes that the following tools do:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
- Azure Container Insights
As the OMI agent runs as root, successful attackers leveraging these vulnerabilities could potentially escalate privileges locally or execute code remotely with the greatest of system access. The most concerning vulnerability is CVE-2021-38647, a technically trivial attack. In the case that OMI’s management port (5986, 5985, and 1270) is enabled and accessible to the internet, an attacker can send a crafted packet to gain root access by just removing the authorization header.
Customers that use Azure Linux machines utilizing any of the tools listed above (or any configuration where the HTTP/S listener is enabled) should consider themselves vulnerable and are urged to follow Microsoft's guidance on updating.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has released unauthenticated scan coverage to identify this vulnerability in protected assets.
Network IDS: Alert Logic is actively working on deploying IDS signatures for this vulnerability.
Web Application Firewall: Due to the nature of this vulnerability, it is not expected that web application coverage is appropriate for this threat.
Log Management: Alert Logic is actively researching this threat to determine whether signatures can be developed to detect attacks.
Recommendations for Mitigation
Microsoft has released a patch for the four CVEs as a part of their September security update, but it is worth noting that patching is not automatic. According to Microsoft’s advisory, you can take the following steps to protect yourself from this vulnerability:
- Add the MSRepo to your system; based on the Linux OS that you are using, refer to this link to install the MSRepo to your system.
- Use your platform’s package tool to upgrade OMI (sudo apt-get install omi or sudo yum install omi).
For more information, refer to this article.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.