Microsoft issues new guidance on OMI vulnerabilities within Azure VM Management extensions

Microsoft issues new guidance on OMI vulnerabilities within Azure VM Management extensions

Microsoft has published new guidance on Open Management Infrastructure (OMI) vulnerabilities within Azure virtual management (VM) Management extensions.

On September 14, 2021, Microsoft released patches for multiple vulnerabilities in the Open Management Infrastructure (OMI) framework.

One of the Critical patches addressed an OMI remote code execution (RCE) Vulnerability CVE-2021-38647 in Azure.

“Some Azure products, such as Configuration Management, expose an HTTP/S port listening to OMI (typically port 5986 ). This configuration where the HTTP/S listener is enabled could allow remote code execution. It is important to mention that most Azure services that use OMI deploy it without exposing the HTTP/S port,” Microsoft explained in the advisory.

Microsoft added the RCE vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.

Fixes to OMI open-sourced code were published on GitHub on August 11, 2021 with new updates released earlier this month. OMI is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards.

In addition, Microsoft fixed three OMI-related Privileged Escalation issues: CVE-2021-38645CVE-2021-38649, and CVE-2021-38648.

New Guidance

Just a few days after patch Tuesday, Microsoft has provided additional guidance and recommended protections within Azure impacted virtual machine (VM) management extensions to resolve these issues.  

For platform-as-a-service (PaaS) default offerings that use the vulnerable VM extensions for Linux, Microsoft confirmed they “will be updating the extension on the affected VM’s transparently for the customer.”

Microsoft further recommended customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available.

Moreover, the automatic extension updates will be transparently patched by Microsoft without a reboot. Azure customers can also deploy some short term mitigations against the RCE vulnerability CVE-2021-38647.

“While updates are being rolled out using safe deployment practices, customers can protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1270),” Microsoft added.

Finally, Microsoft said they will continue to update “safe deployment practices” and will provide updated guidance as extension updates become available.

Related Articles