Microsoft asks Azure Linux admins to manually patch OMIGOD bugs

3 years ago 290
BOOK THIS SPACE FOR AD
ARTICLE AD

Microsoft has issued additional guidance on securing Azure Linux machines impacted by recently addressed critical OMIGOD vulnerabilities.

The four security flaws (allowing remote code execution and privilege escalation) were found in the Open Management Infrastructure (OMI) software agent silently installed on more than half of Azure instances.

According to Wiz researchers Nir Ohfeld and Shir Tamari, these bugs impact thousands of Azure customers and millions of endpoints.

Root privileges with a single packet

OMIGOD affects Azure VMs who use Linux management solutions with services such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, or Azure Diagnostics.

Successful exploitation enables attackers to escalate privileges and execute code remotely on compromised Linux VMs.

"This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints," Wiz researcher Nir Ohfeld said regarding the CVE-2021-38647 RCE bug.

"With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.

"[T]his vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it."

Manual updates required for existing Azure VMs

While working to address these bugs, Microsoft introduced an Enhanced Security commit on August 11, exposing all the details a threat actor would need to create an OMIGOD exploit.

The company released a patched OMI software agent version on September 8 and assigned CVEs only one week later, as part of the September Patch Tuesday.

To make things worse for affected customers, Microsoft has no mechanism available to auto-update vulnerable agents on all impacted Azure Linux machines.

Instead, the company has urged customers to upgrade the vulnerable software manually to secure their endpoints from attacks using OMIGOD exploits.

"Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below," the Microsoft Security Response Center team said. [emphasis ours]

"New VMs in these regions will be protected from these vulnerabilities post the availability of updated extensions."

Extension/Package Deployment Model Vulnerability Exposure Vulnerable Extension Versions Fixed Extension Versions Updated Extension Availability
OMI as standalone package On Premises/ Cloud Remote Code Execution OMI module version 1.6.8.0
or less
OMI module v1.6.8-1 Manually download the update here
System Center Operations Manager (SCOM) On Premises Remote Code Execution OMI versions 1.6.8.0 or less (OMI framework is used for Linux/Unix monitoring) OMI version: 1.6.8-1 Manually download the update here
Azure Automation State Configuration, DSC Extension Cloud Remote Code Execution DSC Agent versions:
2.71.X.XX (except the fixed version or higher)
2.70.X.XX (except the fixed version or higher)
3.0.0.1
2.0.0.0
DSC Agent versions:
2.71.1.25
2.70.0.30
3.0.0.3
Automatic updates enabled: update is rolling out, globally available by 9/18/2021.
Automatic updates disabled: manually update extension using instructions here
Azure Automation State Configuration, DSC Extension On Premises Remote Code Execution OMI versions below v1.6.8-1
(OMI framework is a pre-requisite
install for DSC agent)
OMI version: 1.6.8-1 Manually update OMI using instructions here.
Log Analytics Agent On Premises Local Elevation of Privilege OMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Log Analytics Agent Cloud Local Elevation of Privilege OMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Azure Diagnostics (LAD) Cloud Local Elevation of Privilege LAD v4.0.0-v4.0.5 LAD v3.0.131
and earlier
LAD v4.0.11 and LAD v3.0.133 Automatic updates enabled: update is rolling out, globally available by 9/19/2021
Azure Automation Update Management Cloud Local Elevation of Privilege OMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Azure Automation Update Management On Premises Local Elevation of Privilege OMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Azure Automation Cloud Local Elevation of Privilege OMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Azure Automation On Premises Local Elevation of Privilege OMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Azure Security Center Cloud Local Elevation of Privilege OMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Container Monitoring Solution Cloud Local Elevation of Privilege See Note 1 See Note 2 Updated Container Monitoring Solution Docker image is available here

To manually update the OMI agent, you can also use a Linux package manager:

Add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs

You can then use your platform's package tool to upgrade OMI (for example, sudo apt-get install omi or sudo yum install omi).

Microsoft will update vulnerable Azure VM management extensions across Azure regions on cloud deployments with auto-update turned on (the extensions will be transparently patched without a VM restart).

However, this means that customers you will still have to make changes manually to your Azure Linux machines if the automatic extension updates are not toggled on.

"Updates are already available for DSC and SCOM to address the remote execution vulnerability (RCE)," the MSRC team added.

"While updates are being rolled out using safe deployment practices, customers can protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1207)."

Read Entire Article