Microsoft Azure cloud platform customers using Linux in virtual machines have encountered a critical vulnerability (CVE-2021-38647) that allows remote code execution as root. The vulnerability was codenamed OMIGOD and is notable for the fact that the problem is present in the OMI Agent application, which is quietly installed in Linux environments.
OMI Agent is automatically installed and activated when using services such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, Azure Diagnostics, and Azure Container Insights. For example, Linux environments in Azure for which monitoring is enabled are subject to the attack. The agent is part of the open package OMI (Open Management Infrastructure Agent) with the implementation of the DMTF CIM/WBEM stack for IT infrastructure management.
The OMI Agent is installed on the system under the omsagent user and creates settings in /etc/sudoers to run a series of scripts as root. During the operation of some services, listening network sockets are created on network ports 5985, 5986 and 1270. Scanning in the Shodan service shows the presence of more than 15 thousand vulnerable Linux environments on the network. Currently, a working prototype of the exploit has already been placed in the public domain, allowing you to execute your code as root on such systems.
The problem is aggravated by the fact that Azure does not explicitly document the use of OMI and OMI Agent is installed without warning - it is enough to agree with the terms of the selected service when setting up the environment and OMI Agent will be automatically activated, i.e. most users are not even aware of its presence.
The method of exploitation is trivial - it is enough to send an XML request to the agent, removing the header responsible for authentication. OMI uses authentication when receiving control messages, verifying that the client is authorized to send a particular command. The essence of the vulnerability is that when the βAuthenticationβ header responsible for authentication is removed from the message, the server considers the verification successful, accepts the control message and allows the execution of commands with root rights. To execute arbitrary commands in the system, it is enough to use the standard ExecuteShellCommand_INPUT command in the message. For example, to run the "id" utility, it is enough to send a request: curl -H "Content-Type: application/soap+xml;charset=UTF-8" -k --data-binary "@http_body.txt" https://10.0.0.5. 5986:3/wsman β¦ id 2003
Microsoft has already released the OMI 1.6.8.1 update with the fix for the vulnerability, but it has not yet been brought to Microsoft Azure users (in new environments, the old version of OMI is still being installed). Agent auto-update is not supported, so users need to manually update the package using "dpkg -l omi" on Debian/Ubuntu or "rpm -qa omi" on Fedora/RHEL. As a security workaround, it is recommended to block access to network ports 5985, 5986, and 1270.
In addition to CVE-2021-38647, OMI 1.6.8.1 also fixes three vulnerabilities (CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649) that could allow an unprivileged local user to execute their code as root.
Source: opennet.ru