Connect with us

Business

Microsoft asks Azure Linux admins to manually patch OMIGOD bugs

Published

on

Microsoft has issued additional guidance on securing Azure Linux machines impacted by recently addressed critical OMIGOD vulnerabilities.

The four security flaws (allowing remote code execution and privilege escalation) were found in the Open Management Infrastructure (OMI) software agent silently installed on more than half of Azure instances.

According to Wiz researchers Nir Ohfeld and Shir Tamari, these bugs impact thousands of Azure customers and millions of endpoints.

Root privileges with a single packet

OMIGOD affects Azure VMs who use Linux management solutions with services such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, or Azure Diagnostics.https://www.ad-sandbox.com/static/html/sandbox.html

Successful exploitation enables attackers to escalate privileges and execute code remotely on compromised Linux VMs.

“This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” Wiz researcher Nir Ohfeld said regarding the CVE-2021-38647 RCE bug.

“With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.

“[T]his vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it.”

Manual updates required for existing Azure VMs

While working to address these bugs, Microsoft introduced an Enhanced Security commit on August 11, exposing all the details a threat actor would need to create an OMIGOD exploit.

The company released a patched OMI software agent version on September 8 and assigned CVEs only one week later, as part of the September Patch Tuesday.

To make things worse for affected customers, Microsoft has no mechanism available to auto-update vulnerable agents on all impacted Azure Linux machines.

Instead, the company has urged customers to upgrade the vulnerable software manually to secure their endpoints from attacks using OMIGOD exploits.

Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below,” the Microsoft Security Response Center team said. [emphasis ours]

“New VMs in these regions will be protected from these vulnerabilities post the availability of updated extensions.”

Extension/PackageDeployment ModelVulnerability ExposureVulnerable Extension VersionsFixed Extension VersionsUpdated Extension Availability
OMI as standalone packageOn Premises/ CloudRemote Code ExecutionOMI module version 1.6.8.0
or less
OMI module v1.6.8-1Manually download the update here
System Center Operations Manager (SCOM)On PremisesRemote Code ExecutionOMI versions 1.6.8.0 or less (OMI framework is used for Linux/Unix monitoring)OMI version: 1.6.8-1Manually download the update here
Azure Automation State Configuration, DSC ExtensionCloudRemote Code ExecutionDSC Agent versions:
2.71.X.XX (except the fixed version or higher)
2.70.X.XX (except the fixed version or higher)
3.0.0.1
2.0.0.0
DSC Agent versions:
2.71.1.25
2.70.0.30
3.0.0.3
Automatic updates enabled: update is rolling out, globally available by 9/18/2021.
Automatic updates disabled: manually update extension using instructions here
Azure Automation State Configuration, DSC ExtensionOn PremisesRemote Code ExecutionOMI versions below v1.6.8-1
(OMI framework is a pre-requisite
install for DSC agent)
OMI version: 1.6.8-1Manually update OMI using instructions here.
Log Analytics AgentOn PremisesLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Log Analytics AgentCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Azure Diagnostics (LAD)CloudLocal Elevation of PrivilegeLAD v4.0.0-v4.0.5 LAD v3.0.131
and earlier
LAD v4.0.11 and LAD v3.0.133Automatic updates enabled: update is rolling out, globally available by 9/19/2021
Azure Automation Update ManagementCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Azure Automation Update ManagementOn PremisesLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Azure AutomationCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Azure AutomationOn PremisesLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Azure Security CenterCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Container Monitoring SolutionCloudLocal Elevation of PrivilegeSee Note 1See Note 2Updated Container Monitoring Solution Docker image is available here

To manually update the OMI agent, you can also use a Linux package manager:

  • Add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs
  • You can then use your platform’s package tool to upgrade OMI (for example, sudo apt-get install omi or sudo yum install omi).

Microsoft will update vulnerable Azure VM management extensions across Azure regions on cloud deployments with auto-update turned on (the extensions will be transparently patched without a VM restart).

However, this means that customers you will still have to make changes manually to your Azure Linux machines if the automatic extension updates are not toggled on.

“Updates are already available for DSC and SCOM to address the remote execution vulnerability (RCE),” the MSRC team added.

“While updates are being rolled out using safe deployment practices, customers can protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1207).”

Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-azure-linux-admins-to-manually-patch-omigod-bugs/

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO