OMIGOD: a vulnerabilities within Azure VM Management Extensions

A couple of weeks ago a new case exploded around Azure virtual machines, and on-premises as well, and specifically those Linux with Open Management Infrastructures on board. In deep there are three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645CVE-2021-38649CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647).

Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs.

Before creating the panic, there are three scenarios that can lead to compromise:

  • Public port of ports 1270, 5986, 5985
  • OMI agent lower than v1.6.8-1
  • Using SCOM, Azure Automation or Azure Desired State Configuration

If none of these conditions are met, then you don’t have to do anything for your virtual machines.

In a nutshell, anyone with access to an endpoint running a vulnerable version (less than of the OMI agent can execute arbitrary commands over an HTTP request without an authorization header. The expected behavior would be a 401 unauthorized response. However, the user is able to execute commands with root privileges.

To defend yourself against this, it is necessary to respect a series of rules:

  • Update the OMI agent
  • Update SCOM Management Pack
  • Close any unnecessary doors
  • Use the Network Security Groups
  • Use Azure Defender and Azure Security Center to check machine compliance
  • Use Azure Sentinel to check for machine compromise

Regarding the last point, the security team has published a series of queries and hunting rules to understand if your machine has been attacked or not – Hunting for OMI Vulnerability Exploitation with Azure Sentinel – Microsoft Tech Community.

Obviously, to execute the queries in detail, the Log Analytics agent must be present inside the machine and the logs must be captured.

More information about the problem can be found in this article – Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions – Microsoft Security Response Center.