Researchers disclosed four vulnerabilities in Microsoft’s OMI (Open Management Infrastructure). OMI is an open source Common Information Model (CIM) server used for managing Unix and Linux systems. The vulnerabilities range from 7.0 to 9.8 CVSS scores. The Remote Code Execution (RCE), CVE-2021-38647, is extremely simple to execute, requiring only the removal of the auth header to gain root privileges.
- CVE-2021-38647: OMI Remote Code Execution Vulnerability (CVSS: 9.8)
- CVE-2021-38648: OMI Elevation of Privilege Vulnerability (CVSS: 7.8)
- CVE-2021-68645: OMI Elevation of Privilege Vulnerability (CVSS: 7.8)
- CVE-2021-38649: OMI Elevation of Privilege Vulnerability (CVSS: 7.0)
The vulnerabilities are colloquially referred to as OMIGOD and are found within the OMI agents installed on Azure Linux virtual machines. The agents are found in several Azure services including Azure Automation, Automatic Update, Operation Management Suite, Diagnostics, Container Insights and more.
Microsoft Guidance
On Sept 16, Microsoft published a blog outlining the OMI vulnerabilities and guidances on how to address these vulnerabilities. As part of the guidance, Microsoft notes that all versions of OMI below v1.6.8-1 are vulnerable.
To remediate these vulnerabilities, Microsoft states that customers must update vulnerable extensions for their cloud and on-premise deployments as the updates become available. Many of the updates require manual interaction to deploy the updates to the various services.
Extension/Package |
Vulnerability Exposure |
Updated Extension Availability |
Remote Code Execution |
Manually download the update here |
|
Remote Code Execution |
Manually download the update here |
|
Azure Automation State Configuration, DSC Extension |
Remote Code Execution |
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: manually update extension using instructions here |
Azure Automation State Configuration, DSC Extension |
Remote Code Execution |
Manually update OMI using instructions here. |
Local Elevation of Privilege |
Manually update using instructions here |
|
Local Elevation of Privilege |
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
|
Local Elevation of Privilege |
Automatic updates enabled: update is rolling out, globally available by 9/19/2021 |
|
Local Elevation of Privilege |
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
|
Local Elevation of Privilege |
Manually update using instructions here |
|
Local Elevation of Privilege |
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
|
Local Elevation of Privilege |
Manually update using instructions here |
|
Local Elevation of Privilege |
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
|
Local Elevation of Privilege |
Updated Container Monitoring Solution Docker image is available here |
Automox Worklet for OMIGOD Remediation
Due to the high criticality and the fact that adversaries are already scanning networks for these vulnerabilities, it is critical that these vulnerabilities be addressed in your infrastructure immediately.
Evaluation Code
#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+ Updates OMI on Azure Linux VM's.
#%
#% DESCRIPTION
#% The eval code checks to see if the device is an Azure VM.
#% If it is, it will install the Microsoft Repository and
#% update the Azure Open Management Infrastructure (OMI) agent.
#%
#% USAGE
#% ./evaluation.sh
#%
#% EXAMPLES
#% ./evaluation.sh
#%
#================================================================
#- IMPLEMENTATION
#- version secops-update_azure_omi (www.automox.com) 1.0
#- author Adam Nadrowski
#- reviewer Tim Millikin
#-
#================================================================
# HISTORY
# 09/17/2021 : Adam Nadrowski : Script creation
# 09/17/2021 : Tim Millikin : Validated and catalogued
# 09/18/2021 : Adam Nadrowski : Update to eval code
#
#================================================================
# END_OF_HEADER
#================================================================
ASSET_TAG=$(dmidecode --string chassis-asset-tag)
if [ "$ASSET_TAG" != "7783-7084-3265-9085-8269-3286-77" ]; then
exit 0
fi
exit 1
Remediation Code
#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+ Updates OMI on Azure Linux VM's.
#%
#% DESCRIPTION
#% The eval code checks to see if the device is an Azure VM.
#% If it is, it will install the Microsoft Repository and
#% update the Azure Open Management Infrastructure (OMI) agent.
#%
#% USAGE
#% ./remediation.sh
#%
#% EXAMPLES
#% ./remediation.sh
#%
#================================================================
#- IMPLEMENTATION
#- version secops-update_azure_omi (www.automox.com) 1.0
#- author Adam Nadrowski
#- reviewer Tim Millikin
#-
#================================================================
# HISTORY
# 09/17/2021 : Adam Nadrowski : Script creation
# 09/17/2021 : Tim Millikin : Validated and catalogued
# 09/18/2021 : Adam Nadrowski : Update to eval code
#
#================================================================
# END_OF_HEADER
#================================================================
PMC_URL=https://packages.microsoft.com/config
SCALED_VERSION=
CHANNEL=prod
detect_distro()
{
if [ -f /etc/os-release ]; then
if [[ $(grep -o -i "amazon_linux:2" /etc/os-release) ]]; then
DISTRO='rhel'
VERSION=7
else
. /etc/os-release
DISTRO=$ID
VERSION=$VERSION_ID
fi
elif [ -f /etc/redhat-release ]; then
if [ -f /etc/oracle-release ]; then
DISTRO="ol"
elif [[ $(grep -o -i "Red\ Hat" /etc/redhat-release) ]]; then
DISTRO="rhel"
elif [[ $(grep -o -i "Centos" /etc/redhat-release) ]]; then
DISTRO="centos"
fi
VERSION=$(grep -o "release .*" /etc/redhat-release | cut -d ' ' -f2)
else
echo "Unable to detect distro"
fi
echo "Distro detected or similar to: $DISTRO"
}
scale_version_id()
{
if [ "$DISTRO" == "rhel" ] || [ "$DISTRO" == "centos" ] || [ "$DISTRO" == "ol" ]; then
if [[ $VERSION == 7* ]]; then
SCALED_VERSION=7
elif [[ $VERSION == 8* ]]; then
SCALED_VERSION=8
else
echo "Unsupported version: $DISTRO $VERSION" 7
fi
elif [ "$DISTRO" == "sles" ]; then
if [[ $VERSION == 12* ]]; then
SCALED_VERSION=12
elif [[ $VERSION == 15* ]]; then
SCALED_VERSION=15
else
echo "Unsupported version: $DISTRO $VERSION" 7
fi
else
SCALED_VERSION=$VERSION
fi
echo "Scaled version: $SCALED_VERSION"
}
debian_install()
{
curl -sSL $PMC_URL/$DISTRO/$SCALED_VERSION/$CHANNEL.list | tee /etc/apt/sources.list.d/microsoft-$CHANNEL.list
curl -sSL https://packages.microsoft.com/keys/microsoft.asc | tee /etc/apt/trusted.gpg.d/microsoft.asc
apt-get update && apt-get install omi -y
echo "OMI updated"
}
redhat_install()
{
local REPO=
REPO=packages-microsoft-com
yum-config-manager --add-repo=$PMC_URL/$DISTRO/$SCALED_VERSION/$CHANNEL.repo
curl -sSL https://packages.microsoft.com/keys/microsoft.asc > ./microsoft.asc
rpm --import ./microsoft.asc
yum makecache
rm -f ./microsoft.asc
yum --enablerepo=$REPO-$CHANNEL install -y omi
echo "OMI updated"
}
sles_install()
{
local REPO=
REPO=packages-microsoft-com
zypper addrepo -c -f -n microsoft-$CHANNEL https://packages.microsoft.com/config/$DISTRO/$SCALED_VERSION/$CHANNEL.repo
curl -sSL https://packages.microsoft.com/keys/microsoft.asc > ./microsoft.asc
rpm --import ./microsoft.asc
zypper refresh
rm -f ./microsoft.asc
echo "Installing MDE on distro: $DISTRO version: $VERSION"
if ! zypper install -y $REPO-$CHANNEL:omi; then
echo "Failed, trying again"
zypper install -y mdatp
fi
echo "OMI updated"
}
update_omi()
{
if [ "$DISTRO" = "debian" ] || [ "$DISTRO" = "ubuntu" ]; then
debian_install
elif [ "$DISTRO" = "rhel" ] || [ "$DISTRO" = "centos" ] || [ "$DISTRO" = "ol" ]; then
redhat_install
elif [ "$DISTRO" = "sles" ] || [ "$DISTRO" = "sle-hpc" ] ; then
sles_install
else
echo "Unsupported distro"
fi
}
detect_distro
scale_version_id
update_omi
The Worklet checks for vulnerable Azure VMs. When the Worklet is run against an Azure VM, it will install the Microsoft Repository and update the Azure Open Management Infrastucture (OMI) agent. Special thanks to Adam Nadrowski and Tim Millikin for putting this Worklet together to help remediate OMIGOD. More details on this Worklet can be found in the Automox Community.
About Automox
Today’s IT leaders deserve better than tedious legacy tools to manage their infrastructure. From our single cloud-native platform, automate and scale your IT operations to meet the growing business demands of the modern workforce. With complete visibility of your entire environment, you can easily monitor, identify, and respond to issues in real-time across any endpoint, regardless of OS or location.
Demo Automox to see how you can immediately gain effortless command of your endpoints.