Skip to main content
OMIGOD Azure Linux Vulnerabilities

OMIGOD is a collection of four vulnerabilities affecting Microsoft's OMI tooling used to manager Linux environments in Azure. An attacker could exploit these vulnerabilities to execute their own code, propagate across an Azure environment, or escalate their privileges.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

OMIGOD is a collection of four vulnerabilities affecting Microsoft's OMI tooling used to manager Linux environments in Azure. An attacker could exploit these vulnerabilities to execute their own code, propagate across an Azure environment, or escalate their privileges.


Affected platforms

The following platforms are known to be affected:

OMI Versions: all prior to 1.6.8-1

OMI is present in the following Azure products:

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics
  • Azure Container Insights

Threat details

Introduction

Security researchers have disclosed details of four vulnerabilities, collectively known as OMIGOD, affecting Microsoft's Open Management Infrastructure (OMI) tool. They claim that an unauthenticated remote attacker may exploit some or all of these vulnerabilities to gain administrative access to Linux virtual environment's running on Microsoft's Azure cloud computing service.

What is OMI?

OMI is an open-source version of Windows Management Infrastructure (WMI) tool. It is used to manage both remote and local Linux (or UNIX-like) environments; and is included in the Microsoft System Center for Linux server management tool.

The OMI agent runs with administrative privileges and can be controlled via HTTP/HTTPS over ports 1270, 5985, or 5986.

Vulnerability details

All four OMIGOD vulnerabilities appear to be the result of conditional statement flaws in OMI.

  • CVE-2021-38647 - Unauthenticated remote code execution - OMI responds with root-level privileges to any access request without an authentication header . If a user deletes the authentication header from their POST request to the OMI HTTP management ports then OMI will execute any commands in the request with administrative privileges. An attacker may use this to take control of affected environments or for lateral traversal once they have control.
  • CVE-2021-38648 - Privilege escalation - Similar to CVE-2021-38647, although it is the result of a communication failure between the OMI frontend omiengine process and the backend omiserver process.
  • CVE-2021-38645 - Privilege escalation - Similar to CVE-2021-38648. An attacker can intercept requests between the omicli and omiengine process and obtain the authentication information within them. This information may then be reused by the attacker
  • CVE-2021-38649 - Privilege escalation - Similar to CVE-2021-38647 and CVE-2021-38648.

Remediation advice

Microsoft addressed the OMIGOD vulnerabilities in their September 2021 regular patch release. Affected organisations are encouraged to review the following Microsoft Security Update Guides and apply any relevant updates:

Microsoft has also provided additional information on securing OMI in their MSRC post 'Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions'.



Last edited: 17 September 2021 3:38 pm