Security Alert: Linux servers at Azure vulnerabilities - patch now
Date:
2021-09-17 14:19:00
Status:
Closed
Brief Description:
Microsoft disclosed four vulnerabilities affecting Linux servers in Azure via the OMI agent. Vulnerability CVE-2021-38647 allows for remote code execution and should be immediately patched to prevent exploitation.
Current Status:
Microsoft has released updates to mitigate these vulnerabilities. Please update any affected servers.
Services Affected:
Not Applicable
Full Description:
On September 14th, 2021 Microsoft released patches to mitigate the effects of four new vulnerabilities for Linux servers hosted in Azure. The root cause of these vulnerabilities is found in the Open Management Infrastructure (OMI) agent that’s embedded in many popular Azure services. The Cornell IT Security office recommends immediate patching of any vulnerable assets.
For customers of CIT's Managed Server Service - mitigations are already in place for Linux servers at Azure.
The CVEs in scope for this alert are:
CVE-2021-38647 – Unauthenticated root code execution as root (Severity: 9.8)
CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)
CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)
CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)
To determine if your host is vulnerable connect to your Azure VMs and run the commands below in your terminal to ensure OMI is updated to the latest version:
For Debian systems (e.g., Ubuntu): dpkg -l omi
For Redhat based system (e.g., Fedora, CentOS, RHEL): rpm -qa omi
If OMI isn’t installed, no results will return, and your machine isn’t vulnerable. If results return, you’ll be able to see what the installed OMI version on your machines is. Version 1.6.8.1 is the patched version.
External links:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649
https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution
For customers of CIT's Managed Server Service - mitigations are already in place for Linux servers at Azure.
The CVEs in scope for this alert are:
CVE-2021-38647 – Unauthenticated root code execution as root (Severity: 9.8)
CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)
CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)
CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)
To determine if your host is vulnerable connect to your Azure VMs and run the commands below in your terminal to ensure OMI is updated to the latest version:
For Debian systems (e.g., Ubuntu): dpkg -l omi
For Redhat based system (e.g., Fedora, CentOS, RHEL): rpm -qa omi
If OMI isn’t installed, no results will return, and your machine isn’t vulnerable. If results return, you’ll be able to see what the installed OMI version on your machines is. Version 1.6.8.1 is the patched version.
External links:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649
https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution
CIT TDX ID: