Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)

This post is also available in: 日本語 (Japanese)

Executive Summary

On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the findings of four critical vulnerabilities affecting the Microsoft Azure package Open Management Infrastructure (OMI). The open-source OMI package is designed to provide a portable infrastructure backbone for web-based management tools, such as diagnostic monitoring, log analytic services and automation functionality within UNIX and Linux systems. OMI is used by Microsoft Azure to manage UNIX packages within Azure virtual machines (VMs), containers and serverless cloud instances. According to Microsoft’s security release notes, any system created, or which has updated its OMI package, after Aug. 11, 2021, should automatically be patched.

Four Critical OMI Vulnerabilities

The four critical vulnerabilities discovered by security researchers from Wiz include one unauthenticated remote code execution (RCE) and three privilege escalation vulnerabilities.

• CVE-2021-38645 – Privilege Escalation vulnerability
• CVE-2021-38647 – Unauthenticated RCE as root
• CVE-2021-38648 – Privilege Escalation vulnerability
• CVE-2021-38649 – Privilege Escalation vulnerability

Dubbed OMIGOD, the four vulnerabilities were found to directly affect Azure cloud instances using the following Azure services:

• Azure Automation
• Azure Automatic Update
• Azure Operations Management Suite
• Azure Log Analytics
• Azure Configuration Management
• Azure Diagnostics

Prisma Cloud Compute Defender agents can detect whether any Azure system is vulnerable to any of the four CVEs. Additionally, Prisma Cloud users can also build a custom vulnerability detection rule to identify if any system is running an OMI package with a version previous to 1.6.8.1.

To build a custom vulnerability detection rule, open Prisma Cloud and navigate to the following page:

• Compute > Manage > System > Custom Feeds > Custom Vulnerabilities > Import CSV
• Create a csv file and populate that file with the following text:

name,type,package,minVersionInclusive,maxVersionInclusive,md5
OMIGOD,package,omi,*,1.6.8.0,

Palo Alto Networks Azure-based VM- and CN-Series Firewall instances do not use the OMI package and are not vulnerable to the OMI critical vulnerabilities.

Remediation

Prisma Cloud will create an alert for any system which maintains an OMI package vulnerable to the OMI critical vulnerabilities. Should a system be identified as vulnerable, the following steps should be taken for that Azure Cloud Instance:

1. Log on to the Azure instance using SSH.
2. Execute the following command:
   1. Debian – sudo apt list omi
   2. CentOS – sudo yum list omi
3. Determine if OMI version is < 1.6.8.1.
4. If the system maintains an older version of OMI, perform the steps listed within the OMI GitHub Page.

Conclusion

On Sept. 14, 2021, security researchers from Wiz released a report detailing the findings of four critical vulnerabilities affecting the Microsoft Azure package OMI. Dubbed OMIGOD, the four vulnerabilities were found to directly affect Azure Cloud Instances. Palo Alto Networks Azure-based VM and CN Series Firewall instances do not use the OMI package and are not vulnerable to the OMI critical vulnerabilities. Customers of Prisma Cloud have the ability to create alerts to detect vulnerabilities.

Additional Resources

• Microsoft Releases Security Update for Azure Linux Open Management Infrastructure
• Open Management Infrastructure GitHub
• OMI GitHub v.1.6.8-1