IT administrators overseeing certain Microsoft Azure Linux virtual machines are being urged to make sure patches are installed after the discovery of four zero-day vulnerabilities that could allow systems to be compromised.
The vulnerabilities have collectively been dubbed ‘OMIGOD’ because they involve a little-known software agent called Open Management Infrastructure (OMI) that’s embedded in many popular Azure services. OMI is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs.
However, all OMI versions below v1.6.8-1 are vulnerable to the bugs discovered by researchers at a cybersecurity company called Wiz. When customers set up a Linux virtual machine in their cloud, their report notes, the OMI agent is automatically deployed and runs at the highest privilege possible without their knowledge when they enable certain Azure services.
“Unless a patch is applied, attackers can easily exploit these four vulnerabilities to escalate to root privileges and remotely execute malicious code,” researchers warned.
“We named this quartet of zero-days “OMIGOD” because that was our reaction when we discovered them. We conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65 per cent were unknowingly at risk.”
On Thursday Microsoft issued updated guidance on dealing with the problem, which only impacts customers using a Linux management solution (on-premises System Centre Operations Manager SCOM, Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.
Customers must update vulnerable extensions for their cloud and on-premises deployments as the updates become available, said Microsoft. It also released a schedule of when those updates are coming.
New VM’s in Azure regions will be protected from these vulnerabilities after the availability of updated extensions, Microsoft said. For cloud deployments with auto-update turned on, Microsoft will actively deploy the updates to extensions across Azure regions under the release schedule. The automatic extension updates will be transparently patched without a reboot, it said. “Where possible,” it adds, “customers should ensure that automatic extension updates are enabled. Please see Automatic Extension Upgrade for VMs and Scale Sets in Azure to evaluate the configuration of automatic updates.”
Updates are already available for DSC and SCOM to address the remote execution vulnerability. While updates are being rolled out using safe deployment practices, customers can protect against the remote code executive vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1207), Microsoft said.
Note that ports 5985 and 5986 are also used for PowerShell Remoting on Windows and are not impacted by these vulnerabilities, it added.
The four vulnerabilities are
- CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8)
- CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)
- CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)
- CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)
Wiz says environments that could be compromised run Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, Azure Diagnostics and Azure Container Insights.
In addition to Azure cloud customers, add Wiz researchers, other Microsoft customers are affected since OMI can be independently installed on any Linux machine and is frequently used on-premise. For example, they note, OMI is built into System Center for Linux, Microsoft’s server management solution.