Sep 17, 2021

OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)

Tags: , ,

On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the findings of four (4) critical vulnerabilities affecting the Microsoft Azure package Open Management Infrastructure (OMI). 

The open-source OMI package is designed to provide a portable infrastructure backbone for web-based management tools, such as diagnostic monitoring, log analytic services and automation functionality within UNIX and Linux systems. OMI is used by Microsoft Azure to manage UNIX packages within Azure virtual machines (VMs), containers and serverless cloud instances. 

According to Microsoft’s security release notes, any system created, or which has updated its OMI package, after Aug. 11, 2021, should automatically be patched.

  1. CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)
  2. CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8)
  3. CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)
  4. CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)

The OMI security vulnerabilities cut across multiple Azure services, including but not limited to:

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite (OMS)
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics

Microsoft uses OMI in these Azure services, but its agent runs as root privileges and any user can communicate with it using a UNIX socket or via an HTTP API when configured to allow external access. External users with low privileges can simply execute code remotely on a targeted machine.

OMI agent is listening on TCP port 5985. All OMI versions below v1.6.8-1 are vulnerable. For manual remediation, get the update from OMI GitHub v.1.6.8-1

Links: