On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively. Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs. The remote code execution vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management. Today, we are providing additional guidance and rolling out additional protections within Azure impacted VM management extensions to resolve these issues.
What versions of OMI are vulnerable?
All OMI versions below v1.6.8-1 are vulnerable.
What can I do to protect against these vulnerabilities?
Extension updates: Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below. New VM’s in these regions will be protected from these vulnerabilities post the availability of updated extensions. For cloud deployments with auto update turned on, Microsoft will actively deploy the updates to extensions across Azure regions as per the schedule in the table below. The automatic extension updates will be transparently patched without a reboot. Where possible, customers should ensure that automatic extension updates are enabled. Please see Automatic Extension Upgrade for VMs and Scale Sets in Azure to evaluate the configuration of automatic updates.
- Updates are already available for DSC and SCOM to address the remote execution vulnerability (RCE). While updates are being rolled out using safe deployment practices, customers can protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1207). Note that ports 5985 and 5986 are also used for PowerShell Remoting on Windows and are not impacted by these vulnerabilities. For more information about configuring firewall rules for DSC and SCOM, see Azure Automation Network Configuration Details and Configuring a Firewall for Operations Manager.
How can I determine which VMs are impacted by these vulnerabilities?
VMs that use the VM Management Extensions listed below are impacted. All customers that are impacted will be notified directly. To identify the affected extensions customers can leverage Azure Portal or Azure CLI as described in this article https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-linux#discover-vm-extensions. If the reported extension versions are matching the versions listed for the ‘Fixed Extension Versions’ in below table, no further action is required.
Engineering teams at Microsoft are working through safe deployment practices and will periodically update this guidance with links to updated instructions and extension update availability.
Please use the scroll bar to view the full table.
Extension/Package | Deployment Model | Vulnerability Exposure | Vulnerable Extension Versions | Fixed Extension Versions | Updated Extension Availability |
OMI as standalone package | On Premises/ Cloud | Remote Code Execution | OMI module version 1.6.8.0 or less | OMI module v1.6.8-1 | Manually download the update here |
System Center Operations Manager (SCOM) | On Premises | Remote Code Execution | OMI versions 1.6.8.0 or less (OMI framework is used for Linux/Unix monitoring) | OMI version: 1.6.8-1 | Manually download the update here |
Azure Automation State Configuration, DSC Extension | Cloud | Remote Code Execution | DSC Agent versions: 2.71.X.XX (except the fixed version or higher) 2.70.X.XX (except the fixed version or higher) 3.0.0.1 2.0.0.0 | DSC Agent versions: 2.71.1.25 2.70.0.30 3.0.0.3 | Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: manually update extension using instructions here |
Azure Automation State Configuration, DSC Extension | On Premises | Remote Code Execution | OMI versions below v1.6.8-1 (OMI framework is a pre-requisite install for DSC agent) | OMI version: 1.6.8-1 | Manually update OMI using instructions here. |
Log Analytics Agent | On Premises | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Manually update using instructions here |
Log Analytics Agent | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Azure Diagnostics (LAD) | Cloud | Local Elevation of Privilege | LAD v4.0.0-v4.0.5 LAD v3.0.131 and earlier | LAD v4.0.11 and LAD v3.0.133 | Automatic updates enabled: update is rolling out, globally available by 9/19/2021 |
Azure Automation Update Management | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Azure Automation Update Management | On Premises | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Manually update using instructions here |
Azure Automation | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Azure Automation | On Premises | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Manually update using instructions here |
Azure Security Center | Cloud | Local Elevation of Privilege | OMS Agent for Linux GA v1.13.35 or less | OMS Agent for Linux GA v1.13.40-0 | Automatic updates enabled: update is rolling out, globally available by 9/18/2021. Automatic updates disabled: Manually update using instructions here |
Container Monitoring Solution | Cloud | Local Elevation of Privilege | See Note 1 | See Note 2 | Updated Container Monitoring Solution Docker image is available here |
Note 1: Container Monitoring Solution Docker images with SHA ID different than sha256:12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707
Note 2: Fixed version in SHA ID: sha256:12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707