Azure Linux admins urged to patch four zero-day OMI vulnerabilities | #linux | #linuxsecurity

Article content

IT administrators overseeing certain Microsoft Azure Linux virtual machines are being urged to make sure patches are installed after the discovery of four zero-day vulnerabilities that could allow systems to be compromised.


Article content

The vulnerabilities have collectively been dubbed ‘OMIGOD’ because they involve a little-known software agent called Open Management Infrastructure (OMI) that’s embedded in many popular Azure services. OMI is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs.

However, all OMI versions below v1.6.8-1 are vulnerable to the bugs discovered by researchers at a cybersecurity company called Wiz. When customers set up a Linux virtual machine in their cloud, their report notes, the OMI agent is automatically deployed and runs at the highest privilege possible without their knowledge when they enable certain Azure services.

“Unless a patch is applied, attackers can easily exploit these four vulnerabilities to escalate to root privileges and remotely execute malicious code,” researchers warned.

“We named this quartet of zero-days “OMIGOD” because that was our reaction when we discovered them. We conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65 per cent were unknowingly at risk.”

Microsoft reaction

On Thursday Microsoft issued updated guidance on dealing with the problem, which only impacts customers using a Linux management solution (on-premises System Centre Operations Manager SCOM, Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.


Article content

Customers must update vulnerable extensions for their cloud and on-premises deployments as the updates become available, said Microsoft. It also released a schedule of when those updates are coming.

New VM’s in Azure regions will be protected from these vulnerabilities after the availability of updated extensions, Microsoft said. For cloud deployments with auto-update turned on, Microsoft will actively deploy the updates to extensions across Azure regions under the release schedule. The automatic extension updates will be transparently patched without a reboot, it said. “Where possible,” it adds, “customers should ensure that automatic extension updates are enabled. Please see Automatic Extension Upgrade for VMs and Scale Sets in Azure to evaluate the configuration of automatic updates.”

Updates are already available for DSC and SCOM to address the remote execution vulnerability. While updates are being rolled out using safe deployment practices, customers can protect against the remote code executive vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1207), Microsoft said.

Note that ports 5985 and 5986 are also used for PowerShell Remoting on Windows and are not impacted by these vulnerabilities, it added.

The four vulnerabilities are


Article content

Wiz says environments that could be compromised run Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, Azure Diagnostics and Azure Container Insights.

In addition to Azure cloud customers, add Wiz researchers, other Microsoft customers are affected since OMI can be independently installed on any Linux machine and is frequently used on-premise. For example, they note, OMI is built into System Center for Linux, Microsoft’s server management solution.

The post Azure Linux admins urged to patch four zero-day OMI vulnerabilities first appeared on IT World Canada.

This section is powered by IT World Canada. ITWC covers the enterprise IT spectrum, providing news and information for IT professionals aiming to succeed in the Canadian market.



    Postmedia is committed to maintaining a lively but civil forum for discussion and encourage all readers to share their views on our articles. Comments may take up to an hour for moderation before appearing on the site. We ask you to keep your comments relevant and respectful. We have enabled email notifications—you will now receive an email if you receive a reply to your comment, there is an update to a comment thread you follow or if a user you follow comments. Visit our Community Guidelines for more information and details on how to adjust your email settings.

    Original Source link

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    + eighty six = ninety two