A couple of weeks ago a new case exploded around Azure virtual machines (Azure VM), and on-premises as well, and specifically those Linux with Open Management Infrastructures on board. In deep there are three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647).
Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs.
Before creating the panic, there are three scenarios that can lead to compromise:
- Public port of ports 1270, 5986, 5985
- OMI agent lower than v1.6.8-1
- Using SCOM, Azure Automation or Azure Desired State Configuration
If none of these conditions are met, then you don’t have to do anything for your virtual machines.
In a nutshell, anyone with access to an endpoint running a vulnerable version (less than 188.8.131.52) of the OMI agent can execute arbitrary commands over an HTTP request without an authorization header. The expected behavior would be a 401 unauthorized response. However, the user is able to execute commands with root privileges.
To defend yourself against this, it is necessary to respect a series of rules:
- Update the OMI agent
- Update SCOM Management Pack
- Close any unnecessary doors
- Use the Network Security Groups
- Use Azure Defender and Azure Security Center to check machine compliance
- Use Azure Sentinel to check for machine compromise
Regarding the last point, the security team has published a series of queries and hunting rules to understand if your machine has been attacked or not – Hunting for OMI Vulnerability Exploitation with Azure Sentinel – Microsoft Tech Community.
Obviously, to execute the queries in detail, the Log Analytics agent must be present inside the machine and the logs must be captured.
More information about the problem can be found in this article – Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions – Microsoft Security Response Center.
For more great blogs click here.
I’m founder and CEO at Inside Technologies, a company focused to drive into the future all the organizations thanks to power of Information Technology. Passionate about cultures that foster innovation and collaboration, I drive companies to fast turnaround of value to increase ROI. My motto is “There’s no more difference between small and large companies. Everyone needs to be available every day of the year!.
My experience includes leading and manage process and operations for different kind of projects. I had provided IT services for multiple organizations and transformed operational processes. Speaker and author, I collaborate side-by-side with the most important IT companies, like Microsoft, Veeam, Parallels, Netwrix, 5nine, to provide technical sessions, videos and articles for the technical users.
As member of Inside Technologies, I heavily collaborating with the most important software house in several different programs such as Microsoft Azure Advisor and various Preview Programs, like Windows Admin Center.
I really believe into knowledge sharing and this is the reason why I’m Community Lead of WindowServer.it since 2006, speaker during public conferences, moreover than the speaker in many conferences organizer of Server Infrastructure Days (SID), one of the most important conference for IT Pro Business in Italy.
Since 2012 I’m Microsoft MVP for Cloud and Datacenter Management and Very Important Parallels Person since 2016.
Di Benedetto, S. (2021). A VULNERABILITIES WITHIN AZURE VM MANAGEMENT EXTENSIONS. Available at: https://www.silviodibenedetto.com/omigod-a-vulnerabilities-within-azure-vm-management-extensions/