The bad news: when it comes to the critical (CVSS 9.8) remote code execution vulnerability affecting Azure (dubbed OMIGOD and discussed by The Stack in our write-up here), Microsoft thinks you should fix it yourself. The good news -- the devastatingly effecting exploit, which gives an attacker root access -- only appears to affect 56 companies that have specifically configured their Linux management in a particular way.
Unfortunately, that's not the end of the story. There were three other privilege escalation vulnerabilities reported at the same time by cloud security startup Wiz and an attacker who managed to access an affected virtual machine through any other route can go move laterally and gain root using OMI syntax.
The OMIGOD vulnerability stems from the open-source OMI agent that is embedded in many Azure services and quietly deployed when customers set up a Linux virtual machine (VM) in their cloud, in order to orchestrate configuration management and log collection. ("Any user can communicate with it using a UNIX socket or via an HTTP API when configured to allow external access" Wiz noted. "As a result, the vulnerabilities we found would allow external users or low-privileged users to remotely execute code on target machines.")
https://twitter.com/i/status/1437898746747097090
In updated guidance, Microsoft said September 16 that the RCE bug (CVE-2021-38647) only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.
(Detailed analysis by Censys CTO Derek Abdine found 56 companies including a "major health organization and two major entertainment companies" were vulnerable. It has notified the companies.)
Controversially, however, despite the vulnerability coming from open source software maintained by Microsoft and quietly deployed at the heart of its infrastructure, Redmond has put the onus on customers to "update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available" (schedule, per Microsoft, below), rather than fixing vulnerable deployments itself.
Post continues below
Extension/Package | Deployment Model | Vulnerability Exposure | Vulnerable Extension Versions | Fixed Extension Versions | Updated Extension Availability |
OMI as standalone package | On Premises/ Cloud | Remote Code Execution | OMI module version 1.6.8.0 or less | OMI module v1.6.8-1 | Manually download the update here |
System Center Operations Manager (SCOM) | On Premises | Remote Code Execution | OMI versions 1.6.8.0 or less (OMI framework is used for Linux/Unix monitoring) | OMI version: 1.6.8-1 | Manually download the update here |
Azure Automation State Configuration, DSC Extension | Cloud | Remote Code Execution | DSC Agent versions: 2.71.X.XX (except the fixed version or higher) 2.70.X.XX (except the fixed version or higher) 3.0.0.1 2.0.0.0 | DSC Agent versions: 2.71.1.25 2.70.0.30 3.0.0.3 | Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: manually update extension using instructions here |
Azure Automation State Configuration, DSC Extension | On Premises | Remote Code Execution | OMI versions below v1.6.8-1 (OMI framework is a pre-requisite install for DSC agent) | OMI version: 1.6.8-1 | Manually update OMI using instructions here. |
Log Analytics Agent | On Premises | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Manually update using instructions here |
Log Analytics Agent | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Azure Diagnostics (LAD) | Cloud | Local Elevation of Privilege | LAD v4.0.0-v4.0.5 LAD v3.0.131 and earlier | LAD v4.0.11 and LAD v3.0.133 | Automatic updates enabled: update is rolling out, globally available by 9/19/2021 |
Azure Automation Update Management | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Azure Automation Update Management | On Premises | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Manually update using instructions here |
Azure Automation | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Azure Automation | On Premises | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Manually update using instructions here |
Azure Security Center | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Container Monitoring Solution | Cloud | Local Elevation of Privilege | See Note 1 | See Note 2 | Updated Container Monitoring Solution Docker image is available here |
Post continues below
The whole OMIGOD vulnerability has been wrapped in increasing controversy, spanning disclosure, patch responsibility, open source and more. According to Arstechnica's review of emails between Redmond and Wiz, for example, Microsoft specifically said OMI was out of scope for Azure Management bounties, passing it off as an open source-related issue.
And although updates for the vulnerability were posted on GitHub back on August 11, said it didn't release security details then to "provide partners who depend on this software time to implement the updates before we released the details of the vulnerability." (That fix appears to articulate little more detail than a bare-bones "security update").
AWS's Matthew Wilson noted: "While it is not a completely unusual practice for bug fixes to be committed in an upstream repository without calling out the security implications of a fix, following up with a CVE, I think it is unusual to do this. Call me old-fashioned (well, this is an old fashioned software package) but I expect to see a security bulletin sent to https://openwall.com/lists/oss-security/, if the issue wasn't pre-disclosed to distros@ (which it doesn't appear to have been)."