Detection and Response to OMIGOD Exploitations — Azure OMI Vulnerabilities
Recently, a few vulnerabilities in Azure (named: OMIGOD) were discovered by Wiz’s research team:
- CVE-2021–38647 — Unauthenticated RCE as root (Severity: 9.8)
- CVE-2021–38648 — Privilege Escalation vulnerability (Severity: 7.8)
- CVE-2021–38645 — Privilege Escalation vulnerability (Severity: 7.8)
- CVE-2021–38649 — Privilege Escalation vulnerability (Severity: 7.0)
These vulnerabilities exist in the ubiquitous software agent called Open Management Infrastructure (OMI). The OMI package provides a portable infrastructure backbone for web-based management tools, such as diagnostic monitoring, log analytic services and automation functionality within UNIX and Linux systems. OMI is used by Microsoft Azure to manage UNIX packages within Azure virtual machines (VMs), containers and serverless cloud instances.
On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the findings and the scope of the impact of the four critical vulnerabilities. After Aug. 11, 2021, any system created, or which has updated its OMI package, should automatically be patched according to Microsoft’s security release notes.
The Impact of OMIGOD Vulnerabilities
On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the scope of the impact of the four critical vulnerabilities. After Aug. 11, 2021, any system newly created or systems with updated OMI package, should automatically be patched according to Microsoft’s security release notes.
The OMIGOD Vulnerability and Attack
Let’s briefly review the vulnerabilities. First of all, the OMI agent runs as root user on Linux. Any user can communicate with it using a UNIX socket or via an HTTP API when configured to allow external access. As a result, the vulnerabilities would allow external users or low-privileged users to remotely execute code on target machines or escalate privileges.
Three of these vulnerabilities are privilege escalation vulnerabilities, while the fourth vulnerability allows remote code execution (RCE). Some Azure products, including Configuration Management, expose an HTTPS port (port 5986) for interacting with OMI. That’s what makes RCE possible. Note that most Azure services that use OMI deploy it without exposing the HTTPS port.
An attacker can exploit the RCE (CVE-2021–38647) with a SOAP message payload lacking the authorization header. The root cause is a combination of a simple conditional statement coding mistake and an uninitialized auth struct, any request without an Authorization header has its privileges default to uid=0, gid=0, which is root.
To exploit the local privilege escalation vulnerability (CVE-2021–38648), the attacker can exploit the authentication protocol within the agent by omitting the initial authentication request and sending the command execution request to gain root command execution. For an in-depth detail, we recommend the in-depth vulnerability blog.
Detection and Response to OMIGOD in your environment
Microsoft has published a blog to help customers detect potential exploitation if they have auditd log enabled on their Linux machines. The key idea is to look for execve system calls with a working directory (cwd) /var/opt/microsoft/scx/tmp as shown below:
We advise Confluera customers to use our threat progression and/or detection capabilities to monitor if any potential exploitation has succeeded as shown below. See Confluera’s container threat detection blog for more examples on threat progressions and how we track attacker activities in customer’s environment. Customers can also view the detailed activities the attacker has performed from the threat progression as well as the process tree information. Additionally, customers can also perform response actions from their progression dashboard to kill the malicious processes.
See Confluera’s container threat detection blog for more examples on threat progressions and how we track attacker activities in customer’s environment.
Since December 2020, we have witnessed an unprecedented amount of cyber attacks exploiting the software supply chains. Cloud providers are no exception as they also rely on open source components to perform critical tasks on tenant assets.
Malicious actors with remote and local access to the system with vulnerable OMI packages running can gain root privilege by exploiting the OMIGOD vulnerabilities. It is recommended that you patched the vulnerability as soon as you can.
Detection and response solution play a critical role especially in identifying previously unknown supply chain compromises. If you need help stopping OMIGOD in your environment, contact us today!