fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Asks Azure Linux Admins to Manually Patch OMIGOD Bugs

Microsoft Asks Azure Linux Admins to Manually Patch OMIGOD Bugs

Microsoft has issued additional guidance on securing Azure Linux machines impacted by recently addressed critical OMIGOD vulnerabilities.

The four security flaws (allowing remote code execution and privilege escalation) were found in the Open Management Infrastructure (OMI) software agent silently installed on more than half of Azure instances.

According to Wiz researchers Nir Ohfeld and Shir Tamari, these bugs impact thousands of Azure customers and millions of endpoints.

Root privileges with a single packet

OMIGOD affects Azure VMs who use Linux management solutions with services such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, or Azure Diagnostics.

Successful exploitation enables attackers to escalate privileges and execute code remotely on compromised Linux VMs.

“This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” Wiz researcher Nir Ohfeld said regarding the CVE-2021-38647 RCE bug.

“With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple.

Also Read: Limiting Location Data Exposure: 8 Best Practices

“[T]his vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it.”

Manual updates required for existing Azure VMs

While working to address these bugs, Microsoft introduced an Enhanced Security commit on August 11, exposing all the details a threat actor would need to create an OMIGOD exploit.

The company released a patched OMI software agent version on September 8 and assigned CVEs only one week later, as part of the September Patch Tuesday.

To make things worse for affected customers, Microsoft has no mechanism available to auto-update vulnerable agents on all impacted Azure Linux machines.

Instead, the company has urged customers to upgrade the vulnerable software manually to secure their endpoints from attacks using OMIGOD exploits.

Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below,” the Microsoft Security Response Center team said. [emphasis ours]

“New VMs in these regions will be protected from these vulnerabilities post the availability of updated extensions.”

Extension/PackageDeployment ModelVulnerability ExposureVulnerable Extension VersionsFixed Extension VersionsUpdated Extension Availability
OMI as standalone packageOn Premises/ CloudRemote Code ExecutionOMI module version 1.6.8.0
or less
OMI module v1.6.8-1Manually download the update here
System Center Operations Manager (SCOM)On PremisesRemote Code ExecutionOMI versions 1.6.8.0 or less (OMI framework is used for Linux/Unix monitoring)OMI version: 1.6.8-1Manually download the update here
Azure Automation State Configuration, DSC ExtensionCloudRemote Code ExecutionDSC Agent versions:
2.71.X.XX (except the fixed version or higher)
2.70.X.XX (except the fixed version or higher)
3.0.0.1
2.0.0.0
DSC Agent versions:
2.71.1.25
2.70.0.30
3.0.0.3
Automatic updates enabled: update is rolling out, globally available by 9/18/2021.
Automatic updates disabled: manually update extension using instructions here
Azure Automation State Configuration, DSC ExtensionOn PremisesRemote Code ExecutionOMI versions below v1.6.8-1
(OMI framework is a pre-requisite
install for DSC agent)
OMI version: 1.6.8-1Manually update OMI using instructions here.
Log Analytics AgentOn PremisesLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Log Analytics AgentCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Azure Diagnostics (LAD)CloudLocal Elevation of PrivilegeLAD v4.0.0-v4.0.5 LAD v3.0.131
and earlier
LAD v4.0.11 and LAD v3.0.133Automatic updates enabled: update is rolling out, globally available by 9/19/2021
Azure Automation Update ManagementCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Azure Automation Update ManagementOn PremisesLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Azure AutomationCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Azure AutomationOn PremisesLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Azure Security CenterCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here
Container Monitoring SolutionCloudLocal Elevation of PrivilegeSee Note 1See Note 2Updated Container Monitoring Solution Docker image is available here

To manually update the OMI agent, you can also use a Linux package manager:

  • Add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs
  • You can then use your platform’s package tool to upgrade OMI (for example, sudo apt-get install omi or sudo yum install omi).

Microsoft will update vulnerable Azure VM management extensions across Azure regions on cloud deployments with auto-update turned on (the extensions will be transparently patched without a VM restart).

However, this means that customers you will still have to make changes manually to your Azure Linux machines if the automatic extension updates are not toggled on.

Also Read: 10 Practical Benefits of Managed IT Services

“Updates are already available for DSC and SCOM to address the remote execution vulnerability (RCE),” the MSRC team added.

“While updates are being rolled out using safe deployment practices, customers can protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1207).”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us