DIVD-2021-00026 - Omigod: Microsoft Open Management Interface RCE
| Our reference | DIVD-2021-00026 |
| Case lead | Frank Breedijk |
| Author | Célistine Oosting |
| Researcher(s) | |
| CVE(s) | |
| Product | Microsoft Open Management Infrastructure (OMI) |
| Versions | <1.13.40-0 |
| Recommendation | Upgrade to OMI version 1.13.40-0 or later and disable the OMI service |
| Patch status | patch available |
| Status | Closed |
| Last modified | 12 Aug 2022 11:21 |
Summary
Microsoft’s Open Management Interface (OMI) for Linux servers can be installed standalone but is mostly shipped, installed, and activated with Azure services such as LogAnalytics, Microsoft SystemCenter and potentially with more software and services. OMI had a critical vulnerability that made it possible to bypass authentication and thus execute code remotely. We have tried to scan for this vulnerability. However, the amount of internet-facing OMI instances is relatively low and none of them seemed vulnerable to OMIGOD.
What you can do
We recommend you to update your Linux servers running Microsoft Open Management Interface (OMI) to version 1.13.40-0 or later as the specific vulnerability was patched in this version, additionally we recommend that you disable the OMI service if you yourself are not actively using it.
What we are doing
We have tried scanning for vulnerable servers running Microsoft Open Management Interface (OMI). We found that:
- The number of internet-facing OMI instances is quite low
- None of these instances actually seems to be exploitable
We have discussed and confirmed these conclusions with the researchers from Wiz; nonetheless, we still think that OMIGOD is a significant security risk. It offers attackers substantial opportunity to move laterally and escalate privileges once they have compromised a host in the network. Also, companies may be running this service without their explicit knowledge, because it’s installed by default when using certain Azure services even on hosts not running inside the Azure cloud platform. Though, due to the limited internet exposure of OMI servers, we cannot work on this case any longer.
Timeline
| Date | Description |
|---|---|
| 14 Sep 2021 | CVE-2021-38647 Reported by researchers from Wiz. |
| 15 Sep 2021 | DIVD CSIRT starts scanning for OMIGOD |
| 16 Sep 2021 | CVE-2021-38647 patched by Microsoft |
| 24 Nov 2021 | Casefile written and case closed |
More information
- CVE-2021-38647 (OMIGOD): Critical Flaw Leaves Azure Linux VMs Vulnerable to Remote Code Execution
- Microsoft fixes OMIGOD bugs in secret Azure app - The Record by Recorded Future
- NCSC Advisory NCSC-2021-0801
- “Secret” Agent Exposes Azure Customers To Unauthorized Code Execution