Bareki ba sethala sa maru sa Microsoft Azure ba sebelisang Linux ka mechini ea sebele ba tobane le ts'oaetso e matla (CVE-2021-38647) e lumellang ts'ebetso ea khoutu e hole joalo ka motso. Kotsi e ne e ngotsoe ka lebitso la OMIGOD mme e hlokomeleha ka taba ea hore bothata bo teng ts'ebelisong ea OMI Agent, e kentsoeng ka khutso libakeng tsa Linux.
Moemeli oa OMI o kengoa ka bohona le ho kengoa tšebetsong ha o sebelisa lits'ebeletso tse joalo ka Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, Azure Diagnostics, le Azure Container Insights. Mohlala, libaka tsa Linux tse Azure tseo ho li beha leihlo li ka hlaseloa. Moemeli ke karolo ea sephutheloana se bulehileng sa OMI (Moemeli oa Open Management Infrastructure Agent) ka ho kenngoa ts'ebetsong ea DMTF CIM/WBEM stack bakeng sa tsamaiso ea litšebeletso tsa IT.
Moemeli oa OMI o kentsoe tsamaisong tlas'a mosebelisi oa omsagent mme o etsa litlhophiso ho /etc/sudoers ho tsamaisa letoto la mangolo joalo ka motso. Nakong ea ts'ebetso ea lits'ebeletso tse ling, li-sockets tsa marang-rang tse mamelang li bōptjoa likoung tsa marang-rang 5985, 5986 le 1270. Ho hlahloba ts'ebeletso ea Shodan ho bontša boteng ba libaka tse fetang 15 tse tlokotsing tsa Linux marang-rang. Hajoale, mohlala o sebetsang oa ts'ebetso o se o behiloe sebakeng sa sechaba, o o lumella ho etsa khoutu ea hau joalo ka motso lits'ebetsong tse joalo.
Bothata bo mpefatsoa ke taba ea hore Azure ha e hatise ka ho hlaka tšebeliso ea OMI le OMI Agent e kentsoe ntle le temoso - ho lekane ho lumellana le lipehelo tsa ts'ebeletso e khethiloeng ha u theha tikoloho mme Moemeli oa OMI o tla kengoa tšebetsong ka bohona, i.e. basebelisi ba bangata ha ba tsebe le boteng ba eona.
Mokhoa oa ho sebelisa hampe ha o na thuso - ho lekane ho romela kopo ea XML ho moemeli, ho tlosa hlooho e ikarabellang bakeng sa ho netefatsa. OMI e sebelisa netefatso ha e amohela melaetsa ea taolo, ho netefatsa hore moreki o lumelletsoe ho romella taelo e itseng. Ntho ea bohlokoa ea ho ba kotsing ke hore ha hlooho ea "Authentication" e ikarabellang bakeng sa ho netefatsa e tlosoa molaetsa, seva se nka hore netefatso e atlehile, e amohela molaetsa oa taolo mme e lumella ho phethahatsa litaelo tse nang le litokelo tsa metso. Ho phethahatsa litaelo tse sa lumellaneng tsamaisong, ho lekane ho sebelisa taelo e tloaelehileng ea ExecuteShellCommand_INPUT molaetseng. Mohlala, ho tsamaisa "id" utility, ho lekane ho romella kopo: curl -H "Content-Type: application/soap+xml;charset=UTF-8" -k --data-binary "@http_body. txt" https://10.0.0.5. 5986:3/wsman … id 2003
Microsoft e se e lokolotse ntlafatso ea OMI 1.6.8.1 ka tokiso bakeng sa ho ba kotsing, empa ha e e-s'o tlisoe ho basebelisi ba Microsoft Azure (libakeng tse ncha, phetolelo ea khale ea OMI e ntse e kenngoa). Agent auto-update ha e tšehetsoe, kahoo basebelisi ba hloka ho ntlafatsa sephutheloana ka letsoho ba sebelisa "dpkg -l omi" ho Debian/Ubuntu kapa "rpm -qa omi" ho Fedora/RHEL. Joalo ka ts'ebetso ea ts'ireletso, ho khothaletsoa ho thibela phihlello ea boema-kepe ba marang-rang 5985, 5986, le 1270.
Ntle le CVE-2021-38647, OMI 1.6.8.1 e boetse e lokisa likotsi tse tharo (CVE-2021-38648, CVE-2021-38645, le CVE-2021-38649) tse ka lumellang mosebelisi ea se nang tokelo ea lehae ho phethahatsa khoutu ea bona. .
Source: opennet.ru