Azure users running Linux virtual machines may not be aware that their machine has highly vulnerable management software from Microsoft installed that can be remotely exploited in incredibly surprising and equally silly ways.
As described by Wiz.io, which found four vulnerabilities in Microsoft’s Open Management Infrastructure project, an attacker could gain root access to a remote computer by sending a single packet with the authentication header removed.
“This is a textbook RCE vulnerability you’d expect in the 1990s – it’s very unusual for one to emerge in 2021 that can expose millions of endpoints,” wrote Wiz security researcher Nir Ohfeld.
“Thanks to the combination of a simple coding error in a conditional statement and an uninitialized authentication structure, every request without an authorization header has its privileges by default on uid = 0, gid = 0, which is root.”
If OMI releases port 5986, 5985 or 1270 externally, the system is vulnerable.
“This is the default configuration for standalone installation and in Azure Configuration Management or System Center Operations Manager. Fortunately, other Azure services (e.g.,” added Ohfeld.
The problem for users, as described by Ohfeld, is that OMI is silently installed when users install the log collection, has no public documentation, and runs with root privileges. Wiz found that over 65% of the Azure customers it surveyed were vulnerable with Linux.
In his advisory on the four CVEs published today – CVE-2021-38647 with a rating of 9.8, CVE-2021-38648 with a rating of 7.8, CVE-2021-38645 with a rating of 7.8, and CVE -2021-38649, with a rating of 7.0 – Microsoft said the resolution for the vulnerabilities was moved to their OMI code on August 11th to give their partners time to update before detailing the issues.
Users should ensure that they are running OMI version 184.108.40.206, with Microsoft adding instructions in its advisories to download the OMI updates from its repositories if machines have not yet been updated.
“System Center deployments of OMI are at greater risk because the Linux agents are out of date. Customers who are still using System Center with OMI-based Linux may need to manually update the OMI agent, ”warned Wiz.
The vulnerabilities were part of Microsoft’s latest Patch Tuesday.
Like many vulnerabilities these days, they have to be tagged with a catchy name, in which case Wiz called them OMIGOD.