OMIGOD Azure Linux Vulnerabilities

OMIGOD is a collection of four vulnerabilities affecting Microsoft's OMI tooling used to manager Linux environments in Azure. An attacker could exploit these vulnerabilities to execute their own code, propagate across an Azure environment, or escalate their privileges.

Threat ID:: CC-3946
Threat Severity:: Medium
Published:: 17 September 2021 2:06 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

OMI Versions: all prior to 1.6.8-1

OMI is present in the following Azure products:

Azure Automation
Azure Automatic Update
Azure Operations Management Suite
Azure Log Analytics
Azure Configuration Management
Azure Diagnostics
Azure Container Insights

Threat details

Introduction

Security researchers have disclosed details of four vulnerabilities, collectively known as OMIGOD, affecting Microsoft's Open Management Infrastructure (OMI) tool. They claim that an unauthenticated remote attacker may exploit some or all of these vulnerabilities to gain administrative access to Linux virtual environment's running on Microsoft's Azure cloud computing service.

What is OMI?

OMI is an open-source version of Windows Management Infrastructure (WMI) tool. It is used to manage both remote and local Linux (or UNIX-like) environments; and is included in the Microsoft System Center for Linux server management tool.

The OMI agent runs with administrative privileges and can be controlled via HTTP/HTTPS over ports 1270, 5985, or 5986.

Vulnerability details

All four OMIGOD vulnerabilities appear to be the result of conditional statement flaws in OMI.

CVE-2021-38647 - Unauthenticated remote code execution - OMI responds with root-level privileges to any access request without an authentication header . If a user deletes the authentication header from their POST request to the OMI HTTP management ports then OMI will execute any commands in the request with administrative privileges. An attacker may use this to take control of affected environments or for lateral traversal once they have control.
CVE-2021-38648 - Privilege escalation - Similar to CVE-2021-38647, although it is the result of a communication failure between the OMI frontend omiengine process and the backend omiserver process.
CVE-2021-38645 - Privilege escalation - Similar to CVE-2021-38648. An attacker can intercept requests between the omicli and omiengine process and obtain the authentication information within them. This information may then be reused by the attacker
CVE-2021-38649 - Privilege escalation - Similar to CVE-2021-38647 and CVE-2021-38648.

Remediation advice

Microsoft addressed the OMIGOD vulnerabilities in their September 2021 regular patch release. Affected organisations are encouraged to review the following Microsoft Security Update Guides and apply any relevant updates:

Microsoft has also provided additional information on securing OMI in their MSRC post 'Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions'.

Definitive source of threat updates

https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

CVE Vulnerabilities

Status Published

CVE-2021-38645

Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38648, CVE-2021-38649.

Status Published

CVE-2021-38647

Open Management Infrastructure Remote Code Execution Vulnerability.

Status Published

CVE-2021-38648

Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38645, CVE-2021-38649.

Status Published

CVE-2021-38649

Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38645, CVE-2021-38648.

Last edited: 17 September 2021 4:38 pm