About

OMIGOD vulnerability of Microsoft Azure – Resolution

The OMIGOD vulnerability on Microsoft Azure based Linux deployments has been resolved as part of the Microsoft’s Tuesday patch, released on 14th September 2021. Microsoft has shared a list of affected Azure security and automation tools that are affected with this vulnerability. It has also listed the patch details for Azure Linux customers to implement on the affected models.

  1. OMIGOD vulnerability is being used to drop botnets and crypto miners on the Linux virtual machines on Azure
  2. Since this is a CVSS 9.8 vulnerability, you must manually patch the OMIGOD and upgrade the OMIGOD on Linux VM to 1.6.8-1 on an immediate basis.
  3. If patching is not immediately possible, block ports 5985, 5986 and 1270 from outside access

What is the OMIGOD vulnerability?

OMIGOD vulnerability affects the management module deployed on Microsoft Azure servers to manage Linux and Unix servers. The remote management module is auto-deployed whenever you deploy a Linux virtual machine on the Azure cloud. The vulnerability seeks to tap into the ports used by OMIGOD for remote support and maintenance. OMIGOD uses default port 5986 for https listening.

An attacker could use the ports 5985, 5986 and 1270 to send a maliciously crafted page or https packet. This may eventually lead to a Remote Code Execution vulnerability. The RCE vulnerability is being addressed under the CVE-2021-38647. This RCE vulnerability has a CVSS score of 9.8 and is critical for the infrastructure deployed. The vulnerability will require an immediate resolution.

Aside from the remote code execution threat, an attacker could also resort to privilege escalation on the target server. The privilege escalation vulnerabilities are being handled under the following CVE details:

  • CVE-2021-38645
  • CVE-2021-38648
  • CVE-2021-38649

What is the resolution for the OMIGOD vulnerability?

Before we embark on resolution, let us understand a few caveats on the account

  • The vulnerability affects all the OMI installations that are older than 1.6.8-1. This includes on-premise and cloud deployments of Linux that make use of OMI for VM management extensions.
  • Before proceeding with the patching, we will see if the https ports are in use on your virtual machines for OMIGOD management.
  • Do a grep for ports 5985, 5986 , 1270 in separate netstat commands
  • netstat -an | grep 5985
  • netstat -an | grep 5986
  • netstat -an | grep 1270

Do you see any of these ports being used on your virtual machine instance? If yes, we definitely need to patch the vulnerability. If these ports are not being used for listening to any https requests, we are safe as of now. It may be worth checking the firewall to see if the ports 5985, 5986 and 1270 are closed for remote maintenance through the Internet.

Do note that PowerShell remoting is also done through these remote ports – 5985 and 5986. So, if the ports 5985, and 5986 are closed, you won’t be able to use PowerShell remotely through the Internet. PowerShell listens on these ports for maintenance tasks and command emulation.

One of the high level mitigation for the OMIGOD vulnerability is to close ports 5985, 5986 and 1270 for outside traffic. Alternatively, put the Linux Virtual machines in a separate Network Security Group for enhanced traffic segmentation and security. Limit the exposure of the target Linux Virtual machines on your Cloud or on the on-premise network.

If you are running a Linux VM, you would be automatically running the OMIGOD management extensions for VM management. It does not hurt though to check if the Linux virtual machine is actually running the OMIGOD. We will list all the extensions that are running on a Linux virtual machine instance through Azure CLI or command line interface.

az vm extension image list --location easttus --output table

The output of this command will list all the extensions that are available for execution on the Linux virtual machine in question for a particular region. In other words, the output of this command is region-specific and you have different extensions in different regions of the Azure cloud network. If these extensions include the OMIGOD extension, feel free to proceed with the installation of security update that resolves the CVE-2021-38647 vulnerability on account of OMIGOD.

Microsoft has also laid out the different management and security management extensions that are likely to be impacted due to the OMIGOD vulnerability.

Which Azure security or management tools are affected with OMIGOD vulnerability?

As of writing this, the OMIGOD vulnerability will exist if you use one or more of the following extensions for management of your virtual machines:

  1. Azure security center – Azure Cloud deployments
  2. Azure automation – Azure cloud or on-premise deployments
  3. Azure automation update management – Azure close or on-premise deployments
  4. Azure diagnostics – Azure cloud deployments
  5. Azure automation state configuration, DSC extension – Azure cloud or on-premise deployments
  6. Log Analytics agent – Azure cloud or on-premise deployments
  7. System Center Operations Management (SCOM) – Azure cloud or on-premise deployments
  8. OMI package downloaded from GitHub as a standalone package for deployment on Azure cloud or on-premise infrastructure.

If you are able to identify any of the above listed management extensions on your cloud or on-premise network, you will need to upgrade the OMI extension to version 1.6.8-1 or the Linux agents to the upgraded versions.

How can I upgrade OMIGOD extension on Azure cloud Linux VM?

We have the following 3 scenarios for OMIGOD vulnearbility resolution on Azure based Linux or Unix virtual machines:

  • If you have OMIGOD as a standalone package, you will need to manually update the OMIGOD extension to 1.6.8.-1. The patch is available for direct download from https://github.com/Microsoft/omi/releases. This would be the default setting for the Azure customers. So, please install the OMI 1.6.8-1 manually to be patched against the RCE vulnerability.
  • If you are using OMIGOD in on-premise deployment, you will need to manually update the OMIGOD extensions.
  • For all other Cloud-deployed extensions or Azure security management tools, where automatic updates are enabled, automatic updates are being installed on Azure cloud. These are likely to be patched by 18th September.

For default Azure Linux VM servers, the manual update of OMI 1.6.8-1 has to be deployed. And, if you are on the Azure Cloud based security management extension that relies on OMIGOD, your VM will be automatically patched if the automatic updates are enabled. On-premise customers will need to download the patch manually and deploy on their infrastructure.

For the on-premise customers and for the customers who have automatic updates disabled, the security patch that needs to be installed for patching the OMIGOD vulnerability will depend upon the management extension in use. In any case, the mitigation will involve installing either of the following packages:

  • OMI 1.6.8-1 for OMIGOD standalone, System Center Operations Management (SCOM) and Azure automation state configuration, DSC extension. Download it from GitHub. This would be the default for most administrators of the Azure cloud.
  • OMS Agent for Linux GA v1.13.40-0 for Azure automation, Azure Automation update management, and Log analytics agent. Download it from here – https://github.com/microsoft/OMS-Agent-for-Linux/releases/tag/OMSAgent_v1.13.40-0
  • DSC Extension for Azure Automation State Configuration can be downloaded as per the instructions on https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-linux. We need to install the DSC Agent versions:  2.71.1.25 or 2.70.0.30 or 3.0.3. The version upgrade will depend on the tree branch you are on. If you are on DSC agent 2.71.x.x, you need to upgrade to 2.71.1.25. If you are on 2.70.x.x, you need to push for 2.70.0.30. If you are on 3.x.x, you will need to do the 3.0.3 version upgrade.


Summary

Resolution of OMIGOD vulnerability aka CVE-2020-38647 lies in upgrading OMI to 1.6.8-1 manually. We suggest that you apply the patch 1.6.8-1 manually on an immediate basis and be done away with the resolution. You could download a Debian or RPM package to go with the Linux install on your cloud server.

If installing the OPM 1.6.8-1 patch is not possible on an immediate basis, block the ports 5985, 5986 and 1270 on your firewall. This will work well for the interim period, until the security patch is installed on your Linux VM.

For Cloud based deployments and for Azure security management tools, the upgrade will happen automatically through the Automatic updates on Azure cloud. For on-premise, you will need to install the patch file on your own. Bottomline – you will need to update the OMI to 1.6.8-1 for default installations of Linux VM on the Azure cloud network.