How To Fix The New OMI Vulnerabilities Target Linux VMs On Azure Environment?

After CVE-2021-40444 – MSHTML Remote Code Execution Vulnerability. On September 14, Microsoft has confirmed four new vulnerabilities on Open Management Interface (OMI) that Microsoft installed on its Azure Linux VMs. It is estimated that thousands of Azure customers and millions of endpoints are affected by these vulnerabilities. Let’s see how to fix the new OMI vulnerabilities that target Linux VMs on its Azure platform.

What Is OMI?

Open Management Infrastructure (OMI) is an open-source project which comes as a pre-installed application on Azure Linux VMs. Microsoft secretly installs this on its Linux VMs to enable monitoring, logging, reporting, and host management options from the cloud provider’s user interface and APIs. OMI is the Linux/Unix equivalent of Windows Management Instrumentation and Remote Management (WMI/WinRM) which is used to manage desired-state configuration on Linux operating systems such as CentOS, Debian, Oracle Linux, Red Hat Enterprise Linux Server, SUSE Linux, and Ubuntu.

Who Is Vulnerable To The New OMI Vulnerabilities?

According to the report, when Azure customers enable any of these services: Azure Automatic Update, Azure Automation, Azure Operations Management Suite (OMS), Azure Configuration Management, Azure Log Analytics, and Azure Diagnostics services on Linux VMs, OMI is silently installed on them without the customer’s knowledge. Wiz security researcher Nir Ohfeld also said that these new OMI vulnerabilities are not just limited to cloud customers. It affects Linux machines deployed on on-premise on which OMI has been installed.According to Microsoft, any customers who enable these below services on their Linux VM instance are vulnerable to the OMIGOD vulnerabilities. It is estimated that thousands of Azure customers and millions of endpoints are affected by these vulnerabilities.

Summary Of OMIGOD Vulnerabilities:

From Wiz Research Team

These are the four vulnerabilities collectively named OMIGOD vulnerabilities.

The first remote code execution vulnerability CVE-2021-38647 lets adversaries gain remote access to Linux machines when OMI exposes the HTTPS management port publicly via TCP ports 1270, 5985, and 5986. later the adversaries carry out privilege escalation attacks on them and further compromise more VMs through the compromised VMs. These vulnerabilities allow attackers to remotely execute codes as a root user to exfiltrate sensitive data from the Linux VMs.

From Wiz Research Team

How To Fix The New OMI Vulnerabilities?

There are few mitigations and fixes available to protect from the new OMI vulnerabilities to answer this question. Let’s list them one after another.

Thanks for reading this threat post. Please share this post and help to secure the digital world. Please visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.