Cov neeg siv khoom ntawm Microsoft Azure huab platform siv Linux hauv cov tshuab virtual tau ntsib qhov tsis txaus ntseeg tseem ceeb (CVE-2021-38647) uas tso cai rau cov chaw taws teeb ua haujlwm nrog cov cai hauv paus. Qhov tsis zoo yog codenamed OMIGOD thiab tseem ceeb rau qhov tseeb tias qhov teeb meem muaj nyob rau hauv daim ntawv thov OMI Agent, uas yog ntsiag to ntsia hauv Linux ib puag ncig.
OMI Agent tau nruab thiab qhib thaum siv cov kev pabcuam xws li Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, Azure Diagnostics, thiab Azure Container Insights. Piv txwv li, Linux ib puag ncig hauv Azure rau qhov kev saib xyuas uas tau ua rau muaj kev cuam tshuam rau kev tawm tsam. Tus neeg sawv cev yog ib feem ntawm pob qhib OMI (Open Management Infrastructure Agent) pob nrog kev siv DMTF CIM / WBEM pawg rau IT infrastructure tswj.
OMI Agent tau nruab rau hauv lub kaw lus hauv qab tus neeg siv omsagent thiab tsim cov chaw hauv /etc/sudoers kom khiav cov ntawv sau nrog cov cai hauv paus. Thaum lub sijhawm ua haujlwm ntawm qee qhov kev pabcuam, mloog cov xov tooj sib txuas tau tsim rau ntawm cov chaw nres nkoj network 5985, 5986 thiab 1270. Kev tshuaj xyuas hauv Shodan cov kev pabcuam qhia pom tias muaj ntau dua 15 txhiab qhov chaw Linux tsis zoo ntawm lub network. Tam sim no, tus qauv ua haujlwm ntawm kev siv dag zog twb tau tshaj tawm rau pej xeem, tso cai rau koj ua tiav koj cov cai nrog cov cai hauv paus ntawm cov kab ke.
Qhov teeb meem yog qhov hnyav dua los ntawm qhov tseeb tias kev siv OMI tsis tau sau meej meej hauv Azure thiab OMI Agent tau teeb tsa yam tsis muaj kev ceeb toom - koj tsuas yog yuav tsum pom zoo rau cov nqe lus ntawm cov kev pabcuam xaiv thaum teeb tsa ib puag ncig thiab OMI Agent yuav yog. tsis siv neeg qhib, i.e. cov neeg siv feem ntau tsis txawm paub txog nws lub xub ntiag.
Txoj kev siv dag zog yog qhov tsis tseem ceeb - tsuas yog xa daim ntawv thov XML rau tus neeg sawv cev, tshem tawm lub taub hau lub luag haujlwm rau kev lees paub. OMI siv authentication thaum tau txais cov lus tswj xyuas, paub tseeb tias tus neeg siv khoom muaj cai xa cov lus txib tshwj xeeb. Lub ntsiab lus ntawm qhov tsis zoo yog tias thaum "Authentication" header, uas yog lub luag haujlwm rau kev lees paub, raug tshem tawm ntawm cov lus, tus neeg rau zaub mov txiav txim siab qhov kev lees paub tiav, lees txais cov lus tswj hwm thiab tso cai rau cov lus txib kom ua tiav nrog cov cai hauv paus. Txhawm rau ua tiav cov lus txib hauv qhov system, nws txaus los siv tus qauv ExecuteShellCommand_INPUT hais kom ua hauv cov lus. Piv txwv li, txhawm rau tso tawm "id" kev siv hluav taws xob, tsuas yog xa daim ntawv thov: curl -H "Cov ntsiab lus-Type: application/soap+xml; charset=UTF-8" -k βdata-binary β@http_body.txtβ https: //10.0.0.5. 5986:3/wsman ... id 2003
Microsoft twb tau tso tawm OMI 1.6.8.1 hloov tshiab uas kho qhov tsis muaj zog, tab sis nws tseem tsis tau xa mus rau Microsoft Azure cov neeg siv (qhov qub version ntawm OMI tseem tau teeb tsa hauv qhov chaw tshiab). Tsis siv neeg hloov tshiab hloov tshiab tsis tau txais kev txhawb nqa, yog li cov neeg siv yuav tsum ua phau ntawv pob hloov tshiab siv cov lus txib "dpkg -l omi" ntawm Debian / Ubuntu lossis "rpm -qa omi" ntawm Fedora / RHEL. Raws li kev tiv thaiv kev nyab xeeb, nws raug nquahu kom thaiv kev nkag mus rau lub network ports 5985, 5986, thiab 1270.
Ntxiv rau CVE-2021-38647, OMI 1.6.8.1 kuj tseem hais txog peb qhov tsis zoo (CVE-2021-38648, CVE-2021-38645, thiab CVE-2021-38649) uas tuaj yeem tso cai rau ib tus neeg siv hauv zos uas tsis muaj txiaj ntsig los ua cov cai raws li hauv paus.
Tau qhov twg los: opennet.ru