How can we help?
Some Azure services use an automation process called Open Management Infrastructure (OMI). It’s functionally similar to WMI (Windows Management Instrumentation) but for Linux.
In some cases, OMI may expose a management service over HTTP and HTTPS (ports 1270,5985,5986) which is vulnerable to a Remote Code Execution (RCE) exploit (CVE-2021-38647). Most Azure services that use OMI deploy it without exposing the HTTP/S ports.
Of particular concern to Quorum Cyber customers, the Linux agent which Azure Sentinel uses is built on OMI and contains LPE vulnerabilities. It does not expose the HTTP/S ports and is not vulnerable to RCE but updates are recommended to fix the LPE.
On systems with the service port exposed, a network-based attacker may be able to gain control of the server.
An unprivileged user of a system with OMI installed may be able to elevate privileges to become root.
Azure Service Health has sent notifications to potentially impacted customers.
The RCE can be detected on a vulnerable machine using netstat.
`sudo netstat -npl | grep -e ‘(5985|5986|1270)’`
The current version of the OMI service can be enumerated with the package manager, depending on distribution.
`dpkg -l omi`
`rpm -qa omi`
If OMI is not installed then there will be no results. If there is a result it will show the OMI version. The patched version is `22.214.171.124` anything before this is vulnerable to the LPE exploit.
The following services are known to use OMI in some capacity.
Not all of these will expose the HTTP/S port and it may depend on how they were installed.
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
Containment, Mitigations & Remediations
The OMI agent can be updated using Microsoft’s Linux Repo
– add MSRepo to your system
– upgrade the omi using your package manager (eg, `sudo apt-get install omi` or `sudo yum install omi`).
Indicators of Compromise
Microsoft’s Threat Intelligence Center (MSTIC) have released details of in the wild RCE exploitation attempts which are ongoing.
The simplicity of the RCE attack and availability of exploit scripts means there have been many different actors attempting exploitation. Observations have included simple intelligence gathering attempts; opportunistic, financially motivated cryptocurrency mining; and more organised attempts to control the servers and integrate them into existing botnets.