Microsoft patches OMIGOD vulnerabilities on Azure Linux VMs

Microsoft patches OMIGOD vulnerabilities
Written by Emma Davis

Microsoft patches four critical vulnerabilities with a common name OMIGOD. Issues were found in Open Management Infrastructure (OMI), which is silently and automatically installed on Azure Linux VMs (more than half of all Azure instances).

OMIGOD issues were fixed in OMI version, but there is no automatic update mechanism in the application, so most Azure Linux VMs will remain vulnerable until the update is manually installed.

Open Management Infrastructure is the Linux equivalent of Microsoft Windows Management Infrastructure (WMI), a service that collects data from on-premises environments and synchronizes it with a central management server.

Unbeknownst to most Azure customers, Microsoft silently installs OMI on all Azure Linux VMs. Moreover, the OMI client runs with root privileges.

OMIGOD contains the following vulnerabilities:

  • CVE-2021-38647 – RCE without root authentication (9.8 points on the CVSS scale);
  • CVE-2021-38648 – privilege escalation vulnerability (7.8 on the CVSS scale);
  • CVE-2021-38645 – Privilege escalation vulnerability (7.8 on the CVSS scale);
  • CVE-2021-38649 – Privilege escalation vulnerability (7 on the CVSS scale).

As you might guess, the most serious of the four problems is CVE-2021-38647, which allows an attacker to hijack a virtual machine simply by sending a specially crafted packet. Even worse, once inside the network, an attacker can repeat the attack on other systems and continue until the network is completely compromised.

Microsoft patches OMIGOD vulnerabilities

This is a classic RCE vulnerability that could have been found in the 90s. It is extremely unusual that in 2021 such a vulnerability appeared that could [jeopardize] millions of endpoints. With just one package, an attacker can become a root user on a remote machine by simply removing the authentication header. It’s really that simple.write Wiz, who discovered the problems.

The researchers note that the ports through which this bug can be exploited are fortunately not “visible” on the Internet by default.

If you have an OMI listening on ports 5985, 5986, 1270, we recommend to immediately restrict network access to these ports to protect against the vulnerability (CVE-2021-38647).the Wiz statement states.

Alas, if these ports are not available, an attacker could still abuse the other three OMIGOD errors by tricking the Azure user into opening a malicious file, which would ultimately allow the attacker’s code to gain root access.

But the worst news in this situation is the already mentioned lack of a mechanism for automatic updates in OMI. The fact is that most users do not know about the existence of OMI at all, and its work is invisible to them, so they obviously will not update it manually either. Meanwhile, OMI is installed and enabled upon activation of any of the following tools and services:

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics.

Let me remind you that earlier we reported that Microsoft fixes MSHTML vulnerability and residual PrintNightmare issues.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply