OMIGOD Azure Linux Vulnerabilities [CVE-2021-38647 – CVE-2021-38645 – CVE-2021-38648 – CVE-2021-38649]
CVE numbers CVE-2021-38647 – CVE-2021-38645 – CVE-2021-38648 – CVE-2021-38649
OMIGOD is four vulnerabilities that affect Microsoft’s OMI tooling used to manager Linux environments in Azure.
An attacker could exploit these vulnerabilities to execute their own code, propagate across an Azure environment, or escalate their privileges.
Affected platforms
The following platforms are known to be affected:
OMI Versions: all prior to 1.6.8-1
OMI is present in the following Azure products:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
- Azure Container Insights
All four OMIGOD vulnerabilities appear to be the result of conditional statement flaws in OMI.
- CVE-2021-38647 – Unauthenticated remote code execution – OMI responds with root-level privileges to any access request without an authentication header . If a user deletes the authentication header from their POST request to the OMI HTTP management ports then OMI will execute any commands in the request with administrative privileges. An attacker may use this to take control of affected environments or for lateral traversal once they have control.
- CVE-2021-38648 – Privilege escalation – Similar to CVE-2021-38647, although it is the result of a communication failure between the OMI frontend omiengine process and the backend omiserver process.
- CVE-2021-38645 – Privilege escalation – Similar to CVE-2021-38648. An attacker can intercept requests between the omicli and omiengine process and obtain the authentication information within them. This information may then be reused by the attacker
- CVE-2021-38649 – Privilege escalation – Similar to CVE-2021-38647 and CVE-2021-38648.
Remediation advice
Microsoft addressed the OMIGOD vulnerabilities in their September 2021 regular patch release. Affected organisations are encouraged to review the following Microsoft Security Update Guides and apply any relevant updates:
- Open Management Infrastructure Elevation of Privilege Vulnerability | CVE-2021-38645
- Open Management Infrastructure Remote Code Execution Vulnerability | CVE-2021-38647
- Open Management Infrastructure Elevation of Privilege Vulnerability | CVE-2021-38648
- Open Management Infrastructure Elevation of Privilege Vulnerability | CVE-2021-38649
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.