Security Vulnerabilities: Microsoft Azure OMI agents problems
This document (000020388) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 15
The services known to trigger the injection of the vulnerable package are as follows:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
The deployed code has several easy to exploit remote vulnerabilities.
- CVE-2021-38647: Unauthenticated RCE as root (Severity: 9.8)
- CVE-2021-38648: Privilege Escalation vulnerability (Severity: 7.8)
- CVE-2021-38645: Privilege Escalation vulnerability (Severity: 7.8)
- CVE-2021-38649: Privilege Escalation vulnerability (Severity: 7.0)
rpm -qa omi
As the package is maintained and injected by Microsoft into Azure instances, and is not delivered by SUSE, SUSE can not provide fixes.
- Verify your network settings and ensure ports 5985, 5986, 1270 are not
exposed to the Internet. If these ports are exposed to the Internet it is
recommended to consider your system as compromised.
- Redeploy your instance using a network construct with ports 5985, 5986,
closed to the Internet.
If this is not feasible:
- follow the install steps for SUSE on https://docs.microsoft.com/en-us/windows-server/administration/Linux-Package-Repository-for-Microsoft-Software,
- SLE12: sudo rpm -Uvh https://packages.microsoft.com/config/sles/12/packages-microsoft-prod.rpm
- SLE15: sudo rpm -Uvh https://packages.microsoft.com/config/sles/15/packages-microsoft-prod.rpm
- run "zypper up" to update the omi agents from the newly added repo.
- Document ID:000020388
- Creation Date: 16-Sep-2021
- Modified Date:16-Sep-2021
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: firstname.lastname@example.org