How To Fix The New OMI Vulnerabilities Target Linux VMs On Azure Environment?

After CVE-2021-40444 – MSHTML Remote Code Execution Vulnerability. On September 14, Microsoft has confirmed four new vulnerabilities on Open Management Interface (OMI) that Microsoft installed on its Azure Linux VMs. It is estimated that thousands of Azure customers and millions of endpoints are affected by these vulnerabilities. Let’s see how to fix the new OMI vulnerabilities that target Linux VMs on its Azure platform.

What Is OMI?

Open Management Infrastructure (OMI) is an open-source project which comes as a pre-installed application on Azure Linux VMs. Microsoft secretly installs this on its Linux VMs to enable monitoring, logging, reporting, and host management options from the cloud provider’s user interface and APIs. OMI is the Linux/Unix equivalent of Windows Management Instrumentation and Remote Management (WMI/WinRM) which is used to manage desired-state configuration on Linux operating systems such as CentOS, Debian, Oracle Linux, Red Hat Enterprise Linux Server, SUSE Linux, and Ubuntu.

Who Is Vulnerable To The New OMI Vulnerabilities?

According to the report, when Azure customers enable any of these services: Azure Automatic Update, Azure Automation, Azure Operations Management Suite (OMS), Azure Configuration Management, Azure Log Analytics, and Azure Diagnostics services on Linux VMs, OMI is silently installed on them without the customer’s knowledge. Wiz security researcher Nir Ohfeld also said that these new OMI vulnerabilities are not just limited to cloud customers. It affects Linux machines deployed on on-premise on which OMI has been installed.
According to Microsoft, any customers who enable these below services on their Linux VM instance are vulnerable to the OMIGOD vulnerabilities. It is estimated that thousands of Azure customers and millions of endpoints are affected by these vulnerabilities.

• Azure Automation
• Azure Automatic Update
• Azure Operations Management Suite (OMS)
• Azure Log Analytics
• Azure Configuration Management
• Azure Diagnostics
• Azure Container Insights (Added September 16, 07:00AM EST)

Summary Of OMIGOD Vulnerabilities:

These are the four vulnerabilities collectively named OMIGOD vulnerabilities.

• CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8)
• CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)
• CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)
• CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)

The first remote code execution vulnerability CVE-2021-38647 lets adversaries gain remote access to Linux machines when OMI exposes the HTTPS management port publicly via TCP ports 1270, 5985, and 5986. later the adversaries carry out privilege escalation attacks on them and further compromise more VMs through the compromised VMs. These vulnerabilities allow attackers to remotely execute codes as a root user to exfiltrate sensitive data from the Linux VMs.

How To Fix The New OMI Vulnerabilities?

There are few mitigations and fixes available to protect from the new OMI vulnerabilities to answer this question. Let’s list them one after another.

1. Microsoft has released a fix for these new OMI vulnerabilities as part of its Patch Tuesday updates.
2. Install the MSRepo on your Linux VM. Please visit this page to learn how to install MSRepo.
3. Upgrade or install the latest OMI (version equivalent or greater than 1.6.8.1). Use these commands to upgrade or install the OMI on Debian and RedHat-based distributions.
   1. Run this on Debian distro: $ sudo apt-get install omi
   2. Run this on RedHat based distro: $ sudo yum install omi
4. Don’t deploy OMI from the System Center because the Linux agents could be decrypted. So we recommend using a manual way to upgrade or install OMI agents.
5. Uninstall OMI if not required.
   1. Run this on Debian distro: $ sudo apt remove omi
   2. Run this on RedHat based distro: $ sudo yum remove omi
6. You can identify your system is vulnerable just by checking the OMI ports enabled on your Linux instances. Block the post either on public-facing firewalls or internal firewalls as per your need.
   1. Run this command to see the ports opened on your Linux: $ sudo netstat -antp | grep <post number>

Thanks for reading this threat post. Please share this post and help to secure the digital world. Please visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.

• A Critical RCE PowerShell Vulnerability – Upgrade PowerShell at the earliest
• Step by Step Procedure to Install Windows 11 on VMWare
• Step by Step Procedure to Install CBL-Mariner on VMWare – Microsoft’s Linux Distribution!
• 10 Cybersecurity professions which are in high demand
• Step-by-Step Procedure to Create a SCOM Certificate Template