Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions – Microsoft Security Response Center

Last updated on October 5, 2021: See revision history located at the end of the post for changes.

On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework:  CVE-2021-38645CVE-2021-38649CVE-2021-38648, and CVE-2021-38647, respectively.  Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs. The remote code execution vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management. Today, we are providing additional guidance and rolling out additional protections within Azure impacted VM management extensions to resolve these issues.  

What versions of OMI are vulnerable?  

All OMI versions below v1.6.8-1 are vulnerable. 

Which PaaS services are affected by the OMI vulnerability?

For any PaaS service offerings that use the vulnerable VM extensions for Linux as part of the default service offering, Microsoft has updated the extensions on the affected VM’s transparently for customers. Where customers have installed OMI or any of the extensions on their Azure VMs or on-premises machines, they are required to follow the guidance as provided in table below.

How can I determine which VMs are impacted by these vulnerabilities?

VMs that use the VM Management Extensions listed below are impacted. All customers that are impacted will be notified directly.

To identify the affected VMs in their subscriptions, customers can use one the following:

What can I do to protect against these vulnerabilities?  

Extension updates: Customers must update vulnerable extensions for their cloud and on-premises deployments as per the table below. New VMs in a region are protected from these vulnerabilities as they are created. For cloud deployments, Microsoft has deployed the updates to extensions across Azure regions. The automatic extension updates were transparently patched without a reboot. Where possible, customers should ensure that automatic extension updates are enabled. Please see Automatic Extension Upgrade for VMs and Scale Sets in Azure to evaluate the configuration of automatic updates.  

  • Updates are available for all extensions that use OMI to address the remote execution vulnerability (RCE) and Elevation of Privilege (EoP). Customers can add defense-in-depth and protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1270). Note that ports 5985 and 5986 are also used for PowerShell Remoting on Windows and are not impacted by these vulnerabilities. For more information about configuring firewall rules for DSC and SCOM, see Azure Automation Network Configuration Details and Configuring a Firewall for Operations Manager.

How can I detect if this vulnerability has been exploited? 

An attacker that leverages these vulnerabilities to execute commands remotely will have commands run by the SCXcore service. The SCXcore provider runs on AIX 6.1 and later, HP/UX 11.31 and later, Solaris 5.10 and later, and most versions of Linux as far back as RedHat 5.0, SuSE 10.1, and Debian 5.0. SCX has a RunAsProvider named ExecuteShellCommand. The ExecuteShellCommand RunAsProvider will execute any UNIX/Linux command using the /bin/sh shell.

  • If you have auditd enabled and are collecting execve logs, look for commands running from the working directory ‘/var/opt/microsoft/scx/tmp’.  
  • You can also enable logging for the SCXadmin tool. If you enable logging using the command: ‘/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose’, you will see the commands in the /var/opt/microsoft/scx/log/scx.log. To see the commands that are executing, grep for Invoke_ExecuteShellCommand.   

More details about SCXadmin is available here: Administering and Configuring the UNIX – Linux Agent | Microsoft Docs. For more details on SCXcore, see the GitHub repo here: microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager (github.com)

Microsoft has released additional detection guidance and protections for Azure Sentinel Hunting for OMI Vulnerability Exploitation with Azure Sentinel. To further improve security protections for customers, Microsoft will continue to provide additional protections to customers as our investigation progresses. Microsoft has also provided the above detection guidance to major security software providers. Security software providers can use this detection guidance to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. For more information about these security providers, please see the Microsoft Active Protections Program

Are Azure Marketplace VMs impacted by these vulnerabilities? 
Microsoft has identified a subset of Azure marketplace VMs that have vulnerable versions of OMI framework installed on them. Microsoft has published Azure Service Health Notifications to customers utilizing impacted VM images to provide them guidance on how to remediate their resources. Microsoft has also notified the Marketplace publishers to release new versions of the VM images for the offers with the updated OMI framework.  

Engineering teams at Microsoft are working through safe deployment practices and will periodically update this guidance with links to updated instructions and extension update availability.   

Please use the scroll bar to view the full table.

Extension/Package Deployment Model Vulnerability Exposure Vulnerable Extension Versions Fixed Extension Versions Updated Extension Availability
OMI as standalone package On Premises/ Cloud Remote Code Execution OMI module version 1.6.8.0
or less
OMI version v1.6.8-1 Manually download the update here
System Center Operations Manager (SCOM) On Premises Remote Code Execution OMI versions 1.6.8.0 or less (OMI framework is used for Linux/Unix monitoring)  OMI version: 1.6.8-1  Manually download the update here
Azure Automation State Configuration, DSC Extension Cloud Remote Code Execution Linux DSC Agent versions:  
2.71.X.XX (except the fixed version or higher)                    
2.70.X.XX (except the fixed version or higher)                    
3.0.0.1        
2.0.0.0
Linux DSC Agent versions:  
2.71.1.25                              
2.70.0.30                  
3.0.0.3
Microsoft has completed deployment of updates. 
VMs that continue to be reported as vulnerable: Manually update using instructions here
Azure Automation State Configuration, DSC Extension On Premises Remote Code Execution OMI versions below v1.6.8-1 
(OMI framework is a pre-requisite 
install for DSC agent)
OMI version: 1.6.8-1 Manually update OMI using instructions here.
Log Analytics Agent On Premises Local Elevation of Privilege OMS Agent for Linux GA v1.13.39
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Log Analytics Agent Cloud Local Elevation of Privilege OMS Agent for Linux GA v1.13.39
or less
OMS Agent for
Linux GA v1.13.40-0
Microsoft has completed the deployment of updates. 
VMs that continue to be reported as vulnerable: Manually update using instructions  here
Azure Diagnostics (LAD) Cloud Local Elevation of Privilege LAD v4.0.0-v4.0.5 LAD v3.0.131
and earlier
LAD v4.0.15 and LAD v3.0.135 Microsoft has completed the deployment of updates.
Azure Automation Update Management Cloud Local Elevation of Privilege OMS Agent for Linux GA v1.13.39
or less
OMS Agent for
Linux GA v1.13.40-0
Microsoft has completed the deployment of updates.  
 
VMs that continue to be reported as vulnerable: Manually update using instructions here 
Azure Automation Update Management On Premises Local Elevation of Privilege OMS Agent for Linux GA v1.13.39
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Azure Automation Cloud Local Elevation of Privilege OMS Agent for Linux GA v1.13.39
or less
OMS Agent for
Linux GA v1.13.40-0
Microsoft has completed the deployment of updates.  
 
VMs that continue to be reported as vulnerable: Manually update using instructions here 
Azure Automation On Premises Local Elevation of Privilege OMS Agent for Linux GA v1.13.39
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Azure Security Center Cloud Local Elevation of Privilege OMS Agent for Linux GA v1.13.39
or less
OMS Agent for
Linux GA v1.13.40-0
Microsoft has completed deployment of updates.
Azure Sentinel Cloud Local Elevation of Privilege OMS Agent for Linux GA v1.13.39 or less OMS Agent for Linux GA v1.13.40-0 Microsoft has completed deployment of updates.
Container Monitoring Solution Cloud Local Elevation of Privilege See Note 1 See Note 2 Updated Container Monitoring Solution Docker image is available here
Azure Stack Hub On Premises Local Elevation of Privilege Azure Monitor, Update and Configuration Management
Impacted Versions:
1.8
1.8.11 1.12
1.12.17
1.13.27
1.13.33
Azure Monitor, Update and Configuration Management 1.14.02 New extension version is available via the Azure Stack Hub marketplace. Manually update using instructions here
Azure Stack Hub On Premises Local Elevation of Privilege Microsoft Azure Diagnostic Extension for Linux Virtual Machines
Impacted Versions:
3.0.111
3.0.121
Microsoft Azure Diagnostic Extension for Linux Virtual Machines 3.1.135 New extension version is available via the Azure Stack Hub marketplace. Manually update using instructions here
Azure HDInsight Cloud Local Elevation of Privilege Customers with HDInsight clusters running Ubuntu 16.0.4 OR customers that have enabled Azure Monitor for HDInsight cluster integration are susceptible to the Elevation of Privilege vulnerabilities
 
OMI framework version 1.6.8.0
or less
OMI framework v1.6.8-1 Automatic updates have been completed.  Where customer configuration prevented updates, customers must apply the updates by running the following script on every cluster node.  

Please use the scroll bar to view the full table.

Note 1: Container Monitoring Solution Docker images with SHA ID different than sha256:12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707 

Note 2: Fixed version in SHA ID: sha256:12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707 

Revision History:
Revision 1.0 September 16, 2021: Information published.
Revision 1.1 September 17, 2021: Updated affected software, clarified how customers can determine which VMs are impacted by these vulnerabilities and clarified what customers can do to protect against these vulnerabilities.
Revision 1.2 September 18, 2021: Added detection guidance.
Revision 1.3 September 19, 2021: Updated release date for the Azure Monitor, Update and Configuration Management Azure Stack Hub extension
Revision 1.4 September 20, 2021: Updated version number of Azure Diagnostics (LAD) and added information for new updates available for Azure Stack Hub.
Revision 1.5 September 21, 2021: Removed the first bullet in the How can I determine which VMS are impacted by these vulnerabilities? section.
Revision 1.6 September 22, 2021: Updated affected software table including HDInsight, Azure StackHub, and the date automatic updates will be enabled.
Revision 1.7 September 24, 2021: Announced the release of several updates and deployments for Azure Automation State Configuration, DSC Extension, Log Analytics Agent, Azure Automation Update Management, Azure Automation, Azure Security Center, Azure Sentinel and Azure Stack Hub.
Revision 1.8 September 30, 2021: Updated to reflect completion of Microsoft auto-update processes.
Revision 1.0 October 5, 2021: Updated the version number for Azure Monitor, Update and Configuration Management to 1.14.02 for Azure Stack Hub (On-premises)



Fuente del articulo