Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions
2021-09-17 10:28:04 Author: msrc-blog.microsoft.com(查看原文) 阅读量:52 收藏

On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework:  CVE-2021-38645CVE-2021-38649CVE-2021-38648, and CVE-2021-38647, respectively.  Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs. The remote code execution vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management. Today, we are providing additional guidance and rolling out additional protections within Azure impacted VM management extensions to resolve these issues.  

What versions of OMI are vulnerable?  

All OMI versions below v1.6.8-1 are vulnerable. 

What can I do to protect against these vulnerabilities?  

Extension updatesCustomers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below. New VM’s in these regions will be protected from these vulnerabilities post the availability of updated extensions. For cloud deployments with auto update turned on, Microsoft will actively deploy the updates to extensions across Azure regions as per the schedule in the table below. The automatic extension updates will be transparently patched without a reboot. Where possible, customers should ensure that automatic extension updates are enabled. Please see Automatic Extension Upgrade for VMs and Scale Sets in Azure to evaluate the configuration of automatic updates.  

  • Updates are already available for DSC and SCOM to address the remote execution vulnerability (RCE). While updates are being rolled out using safe deployment practices, customers can protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1207).  Note that ports 5985 and 5986 are also used for PowerShell Remoting on Windows and are not impacted by these vulnerabilities. For more information about configuring firewall rules for DSC and SCOM, see Azure Automation Network Configuration Details and Configuring a Firewall for Operations Manager

How can I determine which VMs are impacted by these vulnerabilities? 

 VMs that use the VM Management Extensions listed below are impacted. All customers that are impacted will be notified directly. To identify the affected extensions customers can leverage Azure Portal or Azure CLI as described in this article https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-linux#discover-vm-extensions. If the reported extension versions are matching the versions listed for the ‘Fixed Extension Versions’ in below table, no further action is required.  

Engineering teams at Microsoft are working through safe deployment practices and will periodically update this guidance with links to updated instructions and extension update availability.   

Please use the scroll bar to view the full table.

Extension/PackageDeployment ModelVulnerability ExposureVulnerable Extension VersionsFixed Extension VersionsUpdated Extension Availability
OMI as standalone packageOn Premises/ CloudRemote Code ExecutionOMI module version 1.6.8.0
or less
OMI module v1.6.8-1Manually download the update here
System Center Operations Manager (SCOM)On PremisesRemote Code ExecutionOMI versions 1.6.8.0 or less (OMI framework is used for Linux/Unix monitoring) OMI version: 1.6.8-1 Manually download the update here
Azure Automation State Configuration, DSC ExtensionCloudRemote Code ExecutionDSC Agent versions:  
2.71.X.XX (except the fixed version or higher)                    
2.70.X.XX (except the fixed version or higher)                    
3.0.0.1        
2.0.0.0
DSC Agent versions:  
2.71.1.25                              
2.70.0.30                  
3.0.0.3
Automatic updates enabled: update is rolling out, globally available by 9/18/2021. 
Automatic updates disabled: manually update extension using instructions here
Azure Automation State Configuration, DSC ExtensionOn PremisesRemote Code ExecutionOMI versions below v1.6.8-1 
(OMI framework is a pre-requisite 
install for DSC agent)
OMI version: 1.6.8-1Manually update OMI using instructions here.
Log Analytics AgentOn PremisesLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Log Analytics AgentCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021.  Automatic updates disabled: Manually update using instructions here
Azure Diagnostics (LAD)CloudLocal Elevation of PrivilegeLAD v4.0.0-v4.0.5 LAD v3.0.131
and earlier
LAD v4.0.11 and LAD v3.0.133Automatic updates enabled: update is rolling out, globally available by 9/19/2021
Azure Automation Update ManagementCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021.  Automatic updates disabled: Manually update using instructions here
Azure Automation Update ManagementOn PremisesLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Azure AutomationCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021.  Automatic updates disabled: Manually update using instructions here
Azure AutomationOn PremisesLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Manually update using instructions here
Azure Security CenterCloudLocal Elevation of PrivilegeOMS Agent for Linux GA v1.13.35
or less
OMS Agent for
Linux GA v1.13.40-0
Automatic updates enabled: update is rolling out, globally available by 9/18/2021.  Automatic updates disabled: Manually update using instructions here
Container Monitoring SolutionCloudLocal Elevation of PrivilegeSee Note 1See Note 2Updated Container Monitoring Solution Docker image is available here

Note 1: Container Monitoring Solution Docker images with SHA ID different than sha256:12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707 

Note 2: Fixed version in SHA ID: sha256:12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707 


文章来源: https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/
如有侵权请联系:admin#unsafe.sh