ALERT: Apply Microsoft Security Update for Azure Linux Open Management Infrastructure

Friday, September 17, 2021

The information below was sent to U-M IT groups on September 17, 2021. It is intended for U-M IT staff who are responsible for university servers running Azure Linux.

Summary

Remote code execution vulnerabilities have been discovered in Azure Linux Open Management Infrastructure (OMI). Microsoft has released updates to address the vulnerabilities, which should be applied as soon as possible after appropriate testing.

Problem

When a Linux virtual machine is set up in the cloud, the OMI agent is automatically and silently (without a user’s knowledge) deployed when certain Azure services are enabled. Attackers can exploit the vulnerabilities to escalate to root privileges and remotely execute malicious code (for example, encrypting files for ransom).

Affected Systems

  • Azure Automation

  • Azure Automatic Update

  • Azure Operations Management Suite (OMS)

  • Azure Log Analytics

  • Azure Configuration Management

  • Azure Diagnostics

  • Azure Container Insights

Action Items

To determine whether or not your systems are impacted, refer to Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions. If applicable, apply the security updates from Microsoft as soon as possible after appropriate testing.

Threats

An attacker could use the vulnerabilities to take control of an affected system.

Technical Details

Open Management Infrastructure (OMI) is an open source project sponsored by Microsoft that is used extensively by Azure services. OMI operates similarly to Windows Management Infrastructure (WMI), but for UNIX/Linux systems.

OMI enables popular services for statistics and sync configurations, and is silently installed on the Virtual Machine, running at the highest privileges possible.The vulnerabilities include privilege escalation vulnerabilities that enable attackers to gain the highest privileges on a machine with OMI installed.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

In general, the best protection for your systems is to keep your software and apps up-to-date and to be sure CrowdStrike Falcon is installed on all university systems in your unit.

References

Please contact azure.support@umich.edu to submit a ticket to the ITS Cloud Compute Services support team.