virus logo Threat Signal Report

#OMIGOD IPS Signatures Released to Definitions

Description

Last week, researchers discovered the #OMIGOD vulnerability targeting Windows Azure containers. Disclosed to Microsoft by security vendor Wiz, these vulnerabilities contain three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework.


OMI is an agent within Microsoft Azure, and is already preinstalled on various Azure cloud environments. Creating further confusion, there were reports that newly created Linux virtual machines still contained the vulnerability and updates were not automatically deployed to affected Azure machines. The resulting workaround would be for on premise administrators of the Azure machine(s) to install the OMIGOD patch themselves.


Compounding matters, there is little to no documentation on the OMI agent itself. On Thursday of last week Microsoft confirmed that automatic updates were available for some of the affected Azure extensions. According to Microsoft "Extensions are small applications that provide post-deployment configuration and automation on Azure VMs." Over the weekend, Microsoft has confirmed that there has been scanning by the operators of the Mirai botnet, DDOS botnets, various crypto mining outfits and other malicious actors.


What are the Technical Details of the Vulnerability?

The vulnerability is due to an error when the vulnerable software handles a maliciously crafted request. An unauthenticated remote attacker may be able to exploit this to execute arbitrary code via a crafted HTTP request. Ultimately, the vulnerability allows for unauthenticated attacker to perform remote code execution at the root level.


What is OMI?

According to Microsoft; OMI is an open-source project to further the development of a production quality implementation of the OMI CIMOM (common information model object manager) is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most UNIX systems and Linux.


What Versions of OMI are Vulnerable?

All OMI versions below 1.6.8-1 are vulnerable.


What Services are Vulnerable?

Azure Automation

Azure Automatic Update

Azure Operations Management Suite

Azure Log Analytics

Azure Configuration Management

Azure Diagnostics


What Suggested Mitigations Are Available?

Please refer to the section - "What can I do to protect against these vulnerabilities?", in the Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions link in the APPENDIX. This contains comprehensive list of mitigation steps and workarounds issued by Microsoft for #OMIGOD.


What is the Status of Coverage?

Customers running the latest IPS definitions are protected against this vulnerability with the following signature:


MS.Azure.Open.Management.Infrastructure.Remote.Code.Execution

Telemetry

Appendix

Hunting for OMI Vulnerability Exploitation with Azure Sentinel (Microsoft)


Open Management Infrastructure Remote Code Execution Vulnerability (Microsoft)


Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions (Microsoft)


ID 52
Date Sep 20, 2021
Threat/
Vulnerability		 Remote Code Execution
FortiGate Device Triggered N/A
Threat Actor Type Various
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services