{"id":18792,"date":"2021-09-16T22:41:19","date_gmt":"2021-09-16T18:41:19","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/vulnerabilities-in-omi-azure\/18792\/"},"modified":"2021-09-16T22:41:19","modified_gmt":"2021-09-16T18:41:19","slug":"vulnerabilities-in-omi-azure","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/vulnerabilities-in-omi-azure\/18792\/","title":{"rendered":"OMI vulnerabilities threaten Linux virtual machines on Microsoft Azure"},"content":{"rendered":"

News has surfaced<\/a> of a rather dangerous practice in Microsoft Azure, whereby when a user creates a Linux virtual machine and enables certain Azure services, the Azure platform automatically installs the Open Management Infrastructure (OMI) agent on the machine. The user won\u2019t know it.<\/p>\n

Although a stealth installation might sound terrible on its face, this one actually wouldn\u2019t be so bad were it not for two issues: First, the agent has known vulnerabilities, and second, the agent has no automatic update mechanism in Azure. Until Microsoft solves this problem on its end, organizations using Linux virtual machines on Azure will need to take action.<\/p>\n

Vulnerabilities in the Open Management Infrastructure, and how attackers can exploit them<\/h2>\n

On September\u2019s Patch Tuesday, Microsoft released security updates for four vulnerabilities in the Open Management Infrastructure agent. One of them, CVE-2021-38647<\/a>, allows remote code execution (RCE)<\/a> and is critical, and the other three, CVE-2021-38648<\/a>, CVE-2021-38645<\/a>, and CVE-2021-38649<\/a>, can be used for privilege escalation (LPE)<\/a> in multistage attacks when attackers have penetrated a victim\u2019s network in advance. These three vulnerabilities score high on the CVSS.<\/p>\n

When Microsoft Azure users create a Linux virtual machine and enable a series of services, OMI \u2014vulnerabilities and all \u2014 deploys in the system automatically. The services include Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics, a list that is probably far from complete. The Open Management Infrastructure agent on its own has the highest privileges in the system, and because its tasks include collecting statistics and syncing configurations, it is generally accessible from the Internet through various HTTP ports, depending on the services enabled.<\/p>\n

For example, if the listening port is 5986, attackers could potentially exploit the CVE-2021-38647 vulnerability and execute malicious code remotely. If the OMI is available for remote management (through port 5986, 5985, or 1270), outsiders can exploit the same vulnerability to gain access to the entire network neighborhood in Azure. Experts say the vulnerability is very easy to exploit.<\/p>\n

\n

This is even more severe. The RCE is the simplest RCE you can ever imagine. Simply remove the auth header and you are root. remotely. on all machines. Is this really 2021? pic.twitter.com\/iIHNyqgew4<\/a><\/p>\n

\u2014 Ami Luttwak (@amiluttwak) September 14, 2021<\/a><\/p><\/blockquote>\n