Description: The vulnerabilities were reported by Wiz’s research team where an attacker could exploit OMIGOD vulnerabilities to execute code remotely or elevate privileges on vulnerable Linux virtual machines running on Azure. Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs. The remote code execution vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.
Details: Microsoft issued the following CVEs for OMIGOD and made a patch available to customers during their September 2021 Patch Tuesday release:
- CVE-2021-38647 Open Management Infrastructure Remote Code Execution Vulnerability
- CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability
- CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability
- CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability
Microsoft Protection: Microsoft has made available a patch and recommends applying it immediately on affected systems. For more information and instructions please visit the Microsoft Security Response Center.
Barracuda Networks: Per default OMI is not installed on any CloudGen Firewall or CloudGen WAN systems and are therefore not affected. As soon as a unit is connected to an Azure Log Analytics Workspace (aka "OMS"), the OMI gets installed:
- 8.0.5: OMI version 1.4.2
- 8.1.2: OMI version 1.6.0
- 8.2.0: OMI version 1.6.0
CVE-2021-38647: In all 3 firmware versions we have the OMI suite configured to not listen to inbound connections. In addition, even if the OMI suite were configured to accept inbound connections, by default, such traffic would be blocked by the firewall.
CVE-2021-38645, CVE-2021-38648, CVE-2021-38649: All of these CVEs are local privilege escalations (i.e. they require local access). As a general rule, on CloudGen firewalls, only trustworthy administrative personnel has this kind of access. Additionally, on CloudGen firewall systems, the OMI suite is restricted to a chroot environment, which further mitigates the impact of these CVEs.
We are currently preparing hotfixes for all 3 firmware versions to address the 4 CVEs.
Update September 22, 2021:
The following hotfixes have been released:
- Hotfix 1060 - OMI Security Vulnerabilities for Azure CGF/CGW 8.2.0
- Hotfix 1061 - OMI Security Vulnerabilities for CGW 8.1.2
- Hotfix 1062 - OMI Security Vulnerabilities for Azure CGF 8.0.5
The following IPS signature was released on September 16, 2021, to protect against CVE-2021-38647 which serves as the beginning of the RCE attack.
- Signature ID 1139736 WEB Microsoft Open Management Infrastructure Remote Code Execution Vulnerability (CVE-2021-38647)