OMIGOD Vulnerabilities Disclosed

Researchers disclosed four vulnerabilities in Microsoft’s OMI (Open Management Infrastructure). OMI is an open source Common Information Model (CIM) server used for managing Unix and Linux systems. The vulnerabilities range from 7.0 to 9.8 CVSS scores. The Remote Code Execution (RCE), CVE-2021-38647, is extremely simple to execute, requiring only the removal of the auth header to gain root privileges.

  • CVE-2021-38647: OMI Remote Code Execution Vulnerability (CVSS: 9.8)
  • CVE-2021-38648: OMI Elevation of Privilege Vulnerability (CVSS: 7.8)
  • CVE-2021-68645: OMI Elevation of Privilege Vulnerability (CVSS: 7.8)
  • CVE-2021-38649: OMI Elevation of Privilege Vulnerability (CVSS: 7.0)

The vulnerabilities are colloquially referred to as OMIGOD and are found within the OMI agents installed on Azure Linux virtual machines. The agents are found in several Azure services including Azure Automation, Automatic Update, Operation Management Suite, Diagnostics, Container Insights and more.

Microsoft Guidance

On Sept 16, Microsoft published a blog outlining the OMI vulnerabilities and guidances on how to address these vulnerabilities. As part of the guidance, Microsoft notes that all versions of OMI below v1.6.8-1 are vulnerable.

To remediate these vulnerabilities, Microsoft states that customers must update vulnerable extensions for their cloud and on-premise deployments as the updates become available. Many of the updates require manual interaction to deploy the updates to the various services.

Extension/Package

Vulnerability Exposure

Updated Extension Availability

OMI as standalone package

Remote Code Execution

Manually download the update here

System Center Operations Manager (SCOM)

Remote Code Execution

Manually download the update here

Azure Automation State Configuration, DSC Extension

Remote Code Execution

Automatic updates enabled: update is rolling out, globally available by 9/18/2021. 

Automatic updates disabled: manually update extension using instructions here

Azure Automation State Configuration, DSC Extension

Remote Code Execution

Manually update OMI using instructions here.

Log Analytics Agent

Local Elevation of Privilege

Manually update using instructions here

Log Analytics Agent

Local Elevation of Privilege

Automatic updates enabled: update is rolling out, globally available by 9/18/2021.  Automatic updates disabled: Manually update using instructions here

Azure Diagnostics (LAD)

Local Elevation of Privilege

Automatic updates enabled: update is rolling out, globally available by 9/19/2021

Azure Automation Update Management

Local Elevation of Privilege

Automatic updates enabled: update is rolling out, globally available by 9/18/2021.  Automatic updates disabled: Manually update using instructions here

Azure Automation Update Management

Local Elevation of Privilege

Manually update using instructions here

Azure Automation

Local Elevation of Privilege

Automatic updates enabled: update is rolling out, globally available by 9/18/2021.  Automatic updates disabled: Manually update using instructions here

Azure Automation

Local Elevation of Privilege

Manually update using instructions here

Azure Security Center

Local Elevation of Privilege

Automatic updates enabled: update is rolling out, globally available by 9/18/2021.  Automatic updates disabled: Manually update using instructions here

Container Monitoring Solution

Local Elevation of Privilege

Updated Container Monitoring Solution Docker image is available here

 

Automox Worklet for OMIGOD Remediation

Due to the high criticality and the fact that adversaries are already scanning networks for these vulnerabilities, it is critical that these vulnerabilities be addressed in your infrastructure immediately.

Evaluation Code

 

#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+    Updates OMI on Azure Linux VM's.
#%
#% DESCRIPTION
#%    The eval code checks to see if the device is an Azure VM.
#%    If it is, it will install the Microsoft Repository and
#%    update the Azure Open Management Infrastructure (OMI) agent.
#%
#% USAGE
#%    ./evaluation.sh
#%
#% EXAMPLES
#%  ./evaluation.sh
#%
#================================================================
#- IMPLEMENTATION
#-    version         secops-update_azure_omi (www.automox.com) 1.0
#-    author          Adam Nadrowski
#-    reviewer        Tim Millikin
#-
#================================================================
#  HISTORY
#     09/17/2021 : Adam Nadrowski : Script creation
#     09/17/2021 : Tim Millikin : Validated and catalogued
#     09/18/2021 : Adam Nadrowski : Update to eval code
#
#================================================================
# END_OF_HEADER
#================================================================
ASSET_TAG=$(dmidecode --string chassis-asset-tag)
if [ "$ASSET_TAG" != "7783-7084-3265-9085-8269-3286-77" ]; then
exit 0
fi
exit 1

Remediation Code

#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+    Updates OMI on Azure Linux VM's.
#%
#% DESCRIPTION
#%    The eval code checks to see if the device is an Azure VM.
#%    If it is, it will install the Microsoft Repository and
#%    update the Azure Open Management Infrastructure (OMI) agent.
#%
#% USAGE
#%    ./remediation.sh
#%
#% EXAMPLES
#%  ./remediation.sh
#%
#================================================================
#- IMPLEMENTATION
#-    version         secops-update_azure_omi (www.automox.com) 1.0
#-    author          Adam Nadrowski
#-    reviewer        Tim Millikin
#-
#================================================================
#  HISTORY
#     09/17/2021 : Adam Nadrowski : Script creation
#     09/17/2021 : Tim Millikin : Validated and catalogued
#     09/18/2021 : Adam Nadrowski : Update to eval code
#
#================================================================
# END_OF_HEADER
#================================================================
PMC_URL=https://packages.microsoft.com/config
SCALED_VERSION=
CHANNEL=prod
detect_distro()
{
if [ -f /etc/os-release ]; then
if [[ $(grep -o -i "amazon_linux:2" /etc/os-release) ]]; then
DISTRO='rhel'
VERSION=7
else
. /etc/os-release
DISTRO=$ID
VERSION=$VERSION_ID
fi
elif [ -f /etc/redhat-release ]; then
if [ -f /etc/oracle-release ]; then
DISTRO="ol"
elif [[ $(grep -o -i "Red\ Hat" /etc/redhat-release) ]]; then
DISTRO="rhel"
elif [[ $(grep -o -i "Centos" /etc/redhat-release) ]]; then
DISTRO="centos"
fi
VERSION=$(grep -o "release .*" /etc/redhat-release | cut -d ' ' -f2)
else
echo "Unable to detect distro"
fi
echo "Distro detected or similar to: $DISTRO"
}
scale_version_id()
{
if [ "$DISTRO" == "rhel" ] || [ "$DISTRO" == "centos" ] || [ "$DISTRO" == "ol" ]; then
if [[ $VERSION == 7* ]]; then
SCALED_VERSION=7
elif [[ $VERSION == 8* ]]; then
SCALED_VERSION=8
else
echo "Unsupported version: $DISTRO $VERSION" 7
fi
elif [ "$DISTRO" == "sles" ]; then
if [[ $VERSION == 12* ]]; then
SCALED_VERSION=12
elif [[ $VERSION == 15* ]]; then
SCALED_VERSION=15
else
echo "Unsupported version: $DISTRO $VERSION" 7
fi
else
SCALED_VERSION=$VERSION
fi
echo "Scaled version: $SCALED_VERSION"
}
debian_install()
{
curl -sSL $PMC_URL/$DISTRO/$SCALED_VERSION/$CHANNEL.list | tee /etc/apt/sources.list.d/microsoft-$CHANNEL.list
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | tee /etc/apt/trusted.gpg.d/microsoft.asc
apt-get update && apt-get install omi -y
echo "OMI updated"
}
redhat_install()
{
local REPO=
REPO=packages-microsoft-com
yum-config-manager --add-repo=$PMC_URL/$DISTRO/$SCALED_VERSION/$CHANNEL.repo
curl -sSL https://packages.microsoft.com/keys/microsoft.asc > ./microsoft.asc
rpm --import ./microsoft.asc
yum makecache
rm -f ./microsoft.asc
yum --enablerepo=$REPO-$CHANNEL install -y omi
echo "OMI updated"
}
sles_install()
{
local REPO=
REPO=packages-microsoft-com
zypper addrepo -c -f -n microsoft-$CHANNEL https://packages.microsoft.com/config/$DISTRO/$SCALED_VERSION/$CHANNEL.repo
curl -sSL https://packages.microsoft.com/keys/microsoft.asc > ./microsoft.asc
rpm --import ./microsoft.asc
zypper refresh
rm -f ./microsoft.asc
echo "Installing MDE on distro: $DISTRO version: $VERSION"
if ! zypper install -y $REPO-$CHANNEL:omi; then
echo "Failed, trying again"
zypper install -y mdatp
fi
echo "OMI updated"
}
update_omi()
{
if [ "$DISTRO" = "debian" ] || [ "$DISTRO" = "ubuntu" ]; then
debian_install
elif [ "$DISTRO" = "rhel" ] || [ "$DISTRO" = "centos" ] || [ "$DISTRO" = "ol" ]; then
redhat_install
elif [ "$DISTRO" = "sles" ] || [ "$DISTRO" = "sle-hpc" ] ; then
sles_install
else
echo "Unsupported distro"
fi
}
detect_distro
scale_version_id
update_omi

The Worklet checks for vulnerable Azure VMs. When the Worklet is run against an Azure VM, it will install the Microsoft Repository and update the Azure Open Management Infrastucture (OMI) agent. Special thanks to Adam Nadrowski and Tim Millikin for putting this Worklet together to help remediate OMIGOD. More details on this Worklet can be found in the Automox Community.

About Automox

Today’s IT leaders deserve better than tedious legacy tools to manage their infrastructure. From our single cloud-native platform, automate and scale your IT operations to meet the growing business demands of the modern workforce. With complete visibility of your entire environment, you can easily monitor, identify, and respond to issues in real-time across any endpoint, regardless of OS or location.

Demo Automox to see how you can immediately gain effortless command of your endpoints.

Dive deeper into this topic

loading...