Remotely operated vulnerability in OMI-Agent, imposed on Microsoft Azure Linux-environments

Cloud platform clients Microsoft Azure, using Linux in virtual machines, Faced with Critical vulnerability ( CVE-2021-38647 ), which allows you to remotely execute code with ROOT rights. The vulnerability received the Omigod code name and is notable for the fact that the problem is present in the OMI Agent application, which is unnecessary publicly set in the Linux environment.

OMI Agent without demand is activated when using services such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management and Azure Diagnostics. For example, an attack is subject to Linux-environments in Azure for which monitoring is enabled. The agent is part of the open package OMI (Open Management Infrastructure Agent) with the implementation of the DMTF CIM / WBEM stack to control IT infrastructure.

omi agent is installed in the system under the user OmsAgent and creates settings to / etc / sudoers to start a series of scripts with root rights . During the work, listeners are created by network sockets on network ports 5985, 5986 and 1270. Scanning in the SHODAN service shows the availability of more than 15 thousand vulnerable Linux environments. Currently, in open access already is located the working prototype of the exploit, allowing you to perform your code with root rights on such systems.

Operating method Trivialien is enough to send to an XML query agent, removing the title responsible for authentication. OMI uses authentication when receiving control messages, checking that the client has the right to send a command or another. The essence of the vulnerability is that when deleting a “Authentication” title message that is responsible for authentication, the server considers the passage of verification successful, accepts the control message and allows execution of commands with ROOT rights. To perform arbitrary commands in the system, it is enough to use the executeshellcommand_input command command in the message. For example, to start the “ID” utility, it is enough to send a request:

CURL -H “CONTENT-TYPE: Application / SOAP + XML; Charset = UTF-8” -K –Data-Binary “@ http_body.txt” https : //10.0.0.5: 5986 / WSMAN … iD0

Microsoft has already released the update OMI 1.6.8.1 With the elimination of vulnerability, but it is still Not communicated to Microsoft Azure users (in new environments while is installed

/Media reports.