Detection and Response to OMIGOD Exploitations — Azure OMI Vulnerabilities

Rex Guo
Principle Security Researcher

Recently, a few vulnerabilities in Azure (named: OMIGOD) were discovered by Wiz’s research team:

These vulnerabilities exist in the ubiquitous software agent called Open Management Infrastructure (OMI). The OMI package provides a portable infrastructure backbone for web-based management tools, such as diagnostic monitoring, log analytic services and automation functionality within UNIX and Linux systems. OMI is used by Microsoft Azure to manage UNIX packages within Azure virtual machines (VMs), containers and serverless cloud instances.

On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the findings and the scope of the impact of the four critical vulnerabilities. After Aug. 11, 2021, any system created, or which has updated its OMI package, should automatically be patched according to Microsoft’s security release notes.

The Impact of OMIGOD Vulnerabilities

On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the scope of the impact of the four critical vulnerabilities. After Aug. 11, 2021, any system newly created or systems with updated OMI package, should automatically be patched according to Microsoft’s security release notes.

The OMIGOD Vulnerability and Attack

Let’s briefly review the vulnerabilities. First of all, the OMI agent runs as root user on Linux. Any user can communicate with it using a UNIX socket or via an HTTP API when configured to allow external access. As a result, the vulnerabilities would allow external users or low-privileged users to remotely execute code on target machines or escalate privileges.

Three of these vulnerabilities are privilege escalation vulnerabilities, while the fourth vulnerability allows remote code execution (RCE). Some Azure products, including Configuration Management, expose an HTTPS port (port 5986) for interacting with OMI. That’s what makes RCE possible. Note that most Azure services that use OMI deploy it without exposing the HTTPS port.

An attacker can exploit the RCE (CVE-2021–38647) with a SOAP message payload lacking the authorization header. The root cause is a combination of a simple conditional statement coding mistake and an uninitialized auth struct, any request without an Authorization header has its privileges default to uid=0, gid=0, which is root.

To exploit the local privilege escalation vulnerability (CVE-2021–38648), the attacker can exploit the authentication protocol within the agent by omitting the initial authentication request and sending the command execution request to gain root command execution. For an in-depth detail, we recommend the in-depth vulnerability blog.

Detection and Response to OMIGOD in your environment

Microsoft has published a blog to help customers detect potential exploitation if they have auditd log enabled on their Linux machines. The key idea is to look for execve system calls with a working directory (cwd) /var/opt/microsoft/scx/tmp as shown below:

We advise Confluera customers to use our threat progression and/or detection capabilities to monitor if any potential exploitation has succeeded as shown below. See Confluera’s container threat detection blog for more examples on threat progressions and how we track attacker activities in customer’s environment. Customers can also view the detailed activities the attacker has performed from the threat progression as well as the process tree information. Additionally, customers can also perform response actions from their progression dashboard to kill the malicious processes.

See Confluera’s container threat detection blog for more examples on threat progressions and how we track attacker activities in customer’s environment.

Conclusion

Since December 2020, we have witnessed an unprecedented amount of cyber attacks exploiting the software supply chains. Cloud providers are no exception as they also rely on open source components to perform critical tasks on tenant assets.

Malicious actors with remote and local access to the system with vulnerable OMI packages running can gain root privilege by exploiting the OMIGOD vulnerabilities. It is recommended that you patched the vulnerability as soon as you can.

Detection and response solution play a critical role especially in identifying previously unknown supply chain compromises. If you need help stopping OMIGOD in your environment, contact us today!

Intercept Threats. Before Damage.

Ready to experience the benefit of Confluera?
Start your 30-day trial and see for yourself how the latest innovation in detection and response can fend off the most advanced modern cyber attacks.
Like to learn more about Confluera?
Schedule a 30-min demo with one of our cybersecurity experts to learn how Confluera can help you identify and intercept cyber threats before it becomes a breach.