Finding Azure Linux VMs running OMI services
Details on vulnerabilities present in some Azure Linux VMs, collectively referred to as “OMIGOD”, came to light this week via published research by the cloud security folks at Wiz.io. These vulnerabilities are found in the Open Management Infrastructure software that Microsoft automatically installs in certain Azure Linux VMs. They include an unauthenticated root-level code execution vulnerability (CVE-2021-38647; CVSS base score of 9.8) and three privilege escalation vulnerabilities:
While patches were made last month for OMIGOD vulnerabilities, there have been reports this week that some new Azure Linux VM instances are still provisioning the vulnerable OMI code. Microsoft has provided guidance on ensuring folks are running the latest, patched OMI software. Wiz provided remediation recommendations via limiting network access to OMI WSMAN ports 5985, 5986, and 1270.
We recently added support to the v2.6.4 Rumble explorers and scanners to discover WSMAN services on your network-connected assets. Web Services-Management (WSMAN) is a protocol designed for the management of systems and services, and it can be found in a number of technologies, including Microsoft’s WinRM and some BMC devices. The OMI WSMAN implementation is where the OMIGOD vulnerabilities exist, and Rumble scans can identify the vendor and version of a WSMAN service with exposed ports.
Pulling WSMAN details can be done via POST request of a short SOAP message containing the
wsmid:Identify operation. A successful reply to this request will arrive in the form of a SOAP message containing product details. While adding this capability, we discovered that the OMI WSMAN implementation does not reply to HTTP requests unless a valid
Content-Type header is present in the request, which was unexpected.
_asset.protocol:wsman AND wsman.productVendor:="Open Management Infrastructure" AND (wsman.productVersion:=0.% or wsman.productVersion:=1.0.% or wsman.productVersion:=1.1.% or wsman.productVersion:1.2.% or wsman.productVersion:=1.3.% or wsman.productVersion:=1.4.% or wsman.productVersion:=1.5.% or wsman.productVersion:=1.6.0-% or wsman.productVersion:=1.6.1-% or wsman.productVersion:=1.6.2-% or wsman.productVersion:=1.6.3-% or wsman.productVersion:=1.6.4-% or wsman.productVersion:=1.6.5-% or wsman.productVersion:=1.6.6-% or wsman.productVersion:=1.6.7-% or wsman.productVersion:=1.6.8-0)
Don’t have Rumble and need help finding your Linux instances running OMI services? Start your Rumble trial today.
May 12, 2022
Wrangling the May 2022 Patch Tuesday
Microsoft recently released security updates for over 70 vulnerabilities, including 3 zero-days and 7 critical vulnerabilities that affect a wide-range of their products and services. The list of patches covers an actively exploited zero-day vulnerability in the Windows …Read More
May 5, 2022
Finding F5 BIG-IP instances
Technology vendor F5 recently published information on over 40 vulnerabilities, mostly affecting their BIG-IP line of products. While these vulnerabilities include a mix of types and severities, a particular authentication bypass vulnerability that can affect all BIG-IP …Read More
April 29, 2022
Finding Netatalk instances
A critical vulnerability in the Netatalk open source file server software was found in some popular network attached storage (NAS) devices. Netatalk provides services for the deprecated AFP (Apple Filing Protocol, formerly known as Appletalk Filing Protocol), and runs on a …Read More