News has surfaced of a rather dangerous practice in Microsoft Azure, whereby when a user creates a Linux virtual machine and enables certain Azure services, the Azure platform automatically installs the Open Management Infrastructure (OMI) agent on the machine. The user won’t know it.
Although a stealth installation might sound terrible on its face, this one actually wouldn’t be so bad were it not for two issues: First, the agent has known vulnerabilities, and second, the agent has no automatic update mechanism in Azure. Until Microsoft solves this problem on its end, organizations using Linux virtual machines on Azure will need to take action.
Vulnerabilities in the Open Management Infrastructure, and how attackers can exploit them
On September’s Patch Tuesday, Microsoft released security updates for four vulnerabilities in the Open Management Infrastructure agent. One of them, CVE-2021-38647, allows remote code execution (RCE) and is critical, and the other three, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649, can be used for privilege escalation (LPE) in multistage attacks when attackers have penetrated a victim’s network in advance. These three vulnerabilities score high on the CVSS.
When Microsoft Azure users create a Linux virtual machine and enable a series of services, OMI —vulnerabilities and all — deploys in the system automatically. The services include Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics, a list that is probably far from complete. The Open Management Infrastructure agent on its own has the highest privileges in the system, and because its tasks include collecting statistics and syncing configurations, it is generally accessible from the Internet through various HTTP ports, depending on the services enabled.
For example, if the listening port is 5986, attackers could potentially exploit the CVE-2021-38647 vulnerability and execute malicious code remotely. If the OMI is available for remote management (through port 5986, 5985, or 1270), outsiders can exploit the same vulnerability to gain access to the entire network neighborhood in Azure. Experts say the vulnerability is very easy to exploit.
This is even more severe. The RCE is the simplest RCE you can ever imagine. Simply remove the auth header and you are root. remotely. on all machines. Is this really 2021? pic.twitter.com/iIHNyqgew4
— Ami Luttwak (@amiluttwak) September 14, 2021
So far, no in-the-wild attacks have been reported, but with a lot of information available about how easy it exploiting these vulnerabilities would be, it probably won’t be long.
How to protect yourself
Microsoft has released patches for all four vulnerabilities. However, OMI does not always automatically update, so you’ll need to check to see which version is deployed on your Linux virtual machine. If it’s older than 1.6.8.1, update the Open Management Infrastructure agent. To see how, refer to the description of the CVE-2021-38647 vulnerability.
Experts also recommend restricting network access to ports 5985, 5986, and 1270 to prevent anyone from running RCE.