BOOK THIS SPACE FOR AD
ARTICLE ADMicrosoft has issued additional guidance on securing Azure Linux machines impacted by recently addressed critical OMIGOD vulnerabilities.
The four security flaws (allowing remote code execution and privilege escalation) were found in the Open Management Infrastructure (OMI) software agent silently installed on more than half of Azure instances.
According to Wiz researchers Nir Ohfeld and Shir Tamari, these bugs impact thousands of Azure customers and millions of endpoints.
Root privileges with a single packet
OMIGOD affects Azure VMs who use Linux management solutions with services such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, or Azure Diagnostics.
Successful exploitation enables attackers to escalate privileges and execute code remotely on compromised Linux VMs.
"This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints," Wiz researcher Nir Ohfeld said regarding the CVE-2021-38647 RCE bug.
"With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.
"[T]his vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it."
Manual updates required for existing Azure VMs
While working to address these bugs, Microsoft introduced an Enhanced Security commit on August 11, exposing all the details a threat actor would need to create an OMIGOD exploit.
The company released a patched OMI software agent version on September 8 and assigned CVEs only one week later, as part of the September Patch Tuesday.
To make things worse for affected customers, Microsoft has no mechanism available to auto-update vulnerable agents on all impacted Azure Linux machines.
Instead, the company has urged customers to upgrade the vulnerable software manually to secure their endpoints from attacks using OMIGOD exploits.
"Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below," the Microsoft Security Response Center team said. [emphasis ours]
"New VMs in these regions will be protected from these vulnerabilities post the availability of updated extensions."
Extension/Package | Deployment Model | Vulnerability Exposure | Vulnerable Extension Versions | Fixed Extension Versions | Updated Extension Availability |
OMI as standalone package | On Premises/ Cloud | Remote Code Execution | OMI module version 1.6.8.0 or less |
OMI module v1.6.8-1 | Manually download the update here |
System Center Operations Manager (SCOM) | On Premises | Remote Code Execution | OMI versions 1.6.8.0 or less (OMI framework is used for Linux/Unix monitoring) | OMI version: 1.6.8-1 | Manually download the update here |
Azure Automation State Configuration, DSC Extension | Cloud | Remote Code Execution | DSC Agent versions: 2.71.X.XX (except the fixed version or higher) 2.70.X.XX (except the fixed version or higher) 3.0.0.1 2.0.0.0 |
DSC Agent versions: 2.71.1.25 2.70.0.30 3.0.0.3 |
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: manually update extension using instructions here |
Azure Automation State Configuration, DSC Extension | On Premises | Remote Code Execution | OMI versions below v1.6.8-1 (OMI framework is a pre-requisite install for DSC agent) |
OMI version: 1.6.8-1 | Manually update OMI using instructions here. |
Log Analytics Agent | On Premises | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less |
OMS Agent for Linux GA v1.13.40-0 |
Manually update using instructions here |
Log Analytics Agent | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less |
OMS Agent for Linux GA v1.13.40-0 |
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Azure Diagnostics (LAD) | Cloud | Local Elevation of Privilege | LAD v4.0.0-v4.0.5 LAD v3.0.131 and earlier |
LAD v4.0.11 and LAD v3.0.133 | Automatic updates enabled: update is rolling out, globally available by 9/19/2021 |
Azure Automation Update Management | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less |
OMS Agent for Linux GA v1.13.40-0 |
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Azure Automation Update Management | On Premises | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less |
OMS Agent for Linux GA v1.13.40-0 |
Manually update using instructions here |
Azure Automation | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less |
OMS Agent for Linux GA v1.13.40-0 |
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Azure Automation | On Premises | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less |
OMS Agent for Linux GA v1.13.40-0 |
Manually update using instructions here |
Azure Security Center | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less |
OMS Agent for Linux GA v1.13.40-0 |
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Container Monitoring Solution | Cloud | Local Elevation of Privilege | See Note 1 | See Note 2 | Updated Container Monitoring Solution Docker image is available here |
To manually update the OMI agent, you can also use a Linux package manager:
Add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs
You can then use your platform's package tool to upgrade OMI (for example, sudo apt-get install omi or sudo yum install omi).
Microsoft will update vulnerable Azure VM management extensions across Azure regions on cloud deployments with auto-update turned on (the extensions will be transparently patched without a VM restart).
However, this means that customers you will still have to make changes manually to your Azure Linux machines if the automatic extension updates are not toggled on.
"Updates are already available for DSC and SCOM to address the remote execution vulnerability (RCE)," the MSRC team added.
"While updates are being rolled out using safe deployment practices, customers can protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1207)."