Azure Open Management Infrastructure Exploits (OMIGOD)

Overview

Some Azure services use an automation process called Open Management Infrastructure (OMI). It’s functionally similar to WMI (Windows Management Instrumentation) but for Linux.

In some cases, OMI may expose a management service over HTTP and HTTPS (ports 1270,5985,5986) which is vulnerable to a Remote Code Execution (RCE) exploit (CVE-2021-38647). Most Azure services that use OMI deploy it without exposing the HTTP/S ports.

The Linux OMI implementation is also vulnerable to a series of Local Privilege Escalation (LPE) exploits
(CVE-2021-38645, CVE-2021-38648, CVE-2021-38649).

Of particular concern to Quorum Cyber customers, the Linux agent which Azure Sentinel uses is built on OMI and contains LPE vulnerabilities. It does not expose the HTTP/S ports and is not vulnerable to RCE but updates are recommended to fix the LPE.

Impact

RCE
On systems with the service port exposed, a network-based attacker may be able to gain control of the server.

LPE
An unprivileged user of a system with OMI installed may be able to elevate privileges to become root.

Vulnerability Detection

Azure Service Health has sent notifications to potentially impacted customers.

The RCE can be detected on a vulnerable machine using netstat.
`sudo netstat -npl | grep -e ‘(5985|5986|1270)’`

The current version of the OMI service can be enumerated with the package manager, depending on distribution.
`dpkg -l omi`
`rpm -qa omi`

If OMI is not installed then there will be no results. If there is a result it will show the OMI version. The patched version is `1.6.8.1` anything before this is vulnerable to the LPE exploit.

Affected Products

The following services are known to use OMI in some capacity.
Not all of these will expose the HTTP/S port and it may depend on how they were installed.

• Azure Automation
• Azure Automatic Update
• Azure Operations Management Suite (OMS)
• Azure Log Analytics
• Azure Configuration Management
• Azure Diagnostics

Containment, Mitigations & Remediations

The OMI agent can be updated using Microsoft’s Linux Repo

– add MSRepo to your system
– upgrade the omi using your package manager (eg, `sudo apt-get install omi` or `sudo yum install omi`).

Indicators of Compromise

Microsoft’s Threat Intelligence Center (MSTIC) have released details of in the wild RCE exploitation attempts which are ongoing.

Scanning IPs
13.212.235.12
142.93.148.12
171.224.80.216
185.220.100.245
216.151.191.152
23.129.64.140
31.44.185.115
46.30.42.126
5.45.127.209
94.198.42.158

Malicious URLs
hxxps://www.dwservice.net/download/dwagent_generic.sh
hxxp://104.168.213.31:55879/coinlinux/runMiner.sh

Threat Landscape

The simplicity of the RCE attack and availability of exploit scripts means there have been many different actors attempting exploitation. Observations have included simple intelligence gathering attempts; opportunistic, financially motivated cryptocurrency mining; and more organised attempts to control the servers and integrate them into existing botnets.

Mitre Methodologies

– T1053.003 – Scheduled Task/Job (Cron)
– T1190 – Exploit Public-Facing Application

Further Information

Open Management Infrastructure Remote Code Execution Vulnerability CVE-2021-38647

Hunting for OMI Vulnerability Exploitation with Azure Sentinel