Bug 1190511 - VUL-0: OMIGOD vulnerabilities in Microsoft Azure Cloud
VUL-0: OMIGOD vulnerabilities in Microsoft Azure Cloud
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3.1:SUSE:CVE-2021-38645:8.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-15 08:32 UTC by Marcus Meissner
Modified: 2021-09-16 08:54 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-09-15 08:32:29 UTC
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers


Overview

The Wiz Research Team recently found four critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure. The vulnerabilities are very easy to exploit, allowing attackers to remotely execute arbitrary code within the network with a single request and escalate to root privileges.

    CVE-2021-38647 – Unauthenticated RCE as root
    CVE-2021-38648 – Privilege Escalation vulnerability
    CVE-2021-38645 – Privilege Escalation vulnerability
    CVE-2021-38649 – Privilege Escalation vulnerability

Many different services in Azure are affected, including Azure Log Analytics, Azure Diagnostics and Azure Security Center, as Microsoft uses OMI extensively behind the scenes as a common component for many of its management services for VMs. In a survey, Wiz found that over 65% of sampled Azure customers were exposed to these vulnerabilities and unknowingly at-risk. Although widely used, OMI’s functions within Azure VMs are almost completely undocumented and there are no clear guidelines for customers regarding how to check and/or upgrade existing OMI versions. For a high-level overview of the vulnerability and updates regarding mitigations, visit our OMIGOD blog.

https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution

Microsoft article:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
Comment 6 Alexander Osthof 2021-09-15 13:50:49 UTC
Quick update on the ports.

Freshly installed SLES 15 SP3 BYOS instance without any of the listed services:

azureuser@SLES-15-SP3-aoTest:~> nc -z -v localhost 5985
nc: connect to localhost port 5985 (tcp) failed: Connection refused
nc: connect to localhost port 5985 (tcp) failed: Connection refused
azureuser@SLES-15-SP3-aoTest:~> nc -z -v localhost 5986
nc: connect to localhost port 5986 (tcp) failed: Connection refused
nc: connect to localhost port 5986 (tcp) failed: Connection refused
azureuser@SLES-15-SP3-aoTest:~> nc -z -v localhost 1270
nc: connect to localhost port 1270 (tcp) failed: Connection refused
nc: connect to localhost port 1270 (tcp) failed: Connection refused

omi package is not installed.


After enabling the "Configuration management (Preview)" service on that runnning instance:

azureuser@SLES-15-SP3-aoTest:~> rpm -qa omi
omi-1.6.8-0.x86_64

azureuser@SLES-15-SP3-aoTest:~> nc -z -v localhost 5985
nc: connect to localhost port 5985 (tcp) failed: Connection refused
nc: connect to localhost port 5985 (tcp) failed: Connection refused
azureuser@SLES-15-SP3-aoTest:~> nc -z -v localhost 5986
Connection to localhost 5986 port [tcp/wsmans] succeeded!
azureuser@SLES-15-SP3-aoTest:~> nc -z -v localhost 1270
nc: connect to localhost port 1270 (tcp) failed: Connection refused
nc: connect to localhost port 1270 (tcp) failed: Connection refused

--> at least port 5986 is open.
Comment 7 Robert Schweikert 2021-09-15 13:54:50 UTC
Well obviously they have to listen to the ports locally or the service they are installing would be useless as they couldn't communicate with the framework.

So yes there is always the internal, i.e. disgruntled employee, thread, but that is not as severe as an internet exposed port which would be controlled by the network setup in Azure.
Comment 8 Marcus Meissner 2021-09-16 08:52:52 UTC
TID URL:

https://www.suse.com/support/kb/doc/?id=000020388