Summary
Azure forces the install of an agent on Linux VMs, which contained a vulnerability
that would grant root RCE if an attacker could send a web request to them. Initially,
Microsoft did not update the agent automatically, and so customers had to patch manually,
but a few days later they began patching some services remotely.
Affected Services
OMI
Remediation
Customers must update vulnerable extensions for their cloud and on-premises deployments.
New VMs in a region are protected from these vulnerabilities as they are created.
For cloud deployments, Microsoft has deployed the updates to extensions across Azure regions.
The automatic extension updates were transparently patched without a reboot.
Where possible, customers should ensure that automatic extension updates are enabled.
Tracked CVEs
CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, CVE-2021-38649
References
https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-executionhttps://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azurehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649https://msrc.microsoft.com/blog/2021/09/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/
Contributed by https://github.com/0xdabbad00
Disclosure Date
Tue, Sep 14th, 2021
Exploitablity Period
-
Known ITW Exploitation
true
Detection Methods
OMI version < 1.6.8.1
Piercing Index Rating
8.66
(PI:1.5/A1:20/A2:1/A7:1/A8:1.1)
Discovered by
Nir Ohfeld, Wiz
