Skip to main content

CVE-2021-38647 - Management Infrastructure Remote Code Execution Vulnerability

Description

Update 9/16/2021: Where can I find more information about how to know if I'm protected and what steps can be taken to be protected?

Please see Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions for more information.

What is OMI?

Open Management Infrastructure (OMI) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most UNIX® systems and Linux. In addition to OMI's small footprint, it also demonstrates very high performance.

Refer this link for more details : GitHub - microsoft/omi: Open Management Infrastructure

How do I protect myself from this vulnerability?

Please see Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions for more information.

The updates for this vulnerability were published on GitHub on August 11, 2021. Why is Microsoft just now releasing a CVE?

The fix to address this vulnerability in open-source code was made available on August 11 to provide partners who depend on this software time to implement the updates before we released the details of the vulnerability.

How does this vulnerability manifest itself?

Some Azure products, such as Configuration Management, expose an HTTP/S port listening to OMI (typically port 5986 ). This configuration where the HTTP/S listener is enabled could allow remote code execution. It is important to mention that most Azure services that use OMI deploy it without exposing the HTTP/S port.

How can an attacker exploit the vulnerability?

An attacker could send a specially crafted message via HTTPS to port listening to OMI on a vulnerable system.

How can I check my Azure Linux Node for this listening port?

For different services the port number could be different. On most Linux distributions, the command netstat -an | grep <port-number> will indicate if any processes are listening on <port-number>.

source

Context of k8saas

This vulnerability affects the k8saas service because all our AKS are running under linux Operating system, and all virtual machine scale sets use Log Analytics Agent.

But:

  • a strict firewalling mechanism is put in place. According to the Trustnest ISSP, only TCP:80 and TCP:443 are open by default. This means that all incoming connections to TCP or UDP 5986 is blocked (port used to exploit the vulnerability)
  • an automatic upgrade process is put in place. This updates all the Operating System of the AKS nodes continuously. doc

Finally, no customer has been impacted by this vulnerability under the k8saas perimeter.

Please contact us at support-platform@thalesdigital.io for any questions,