Let’s have a look at the Azure log analytics vulnerability. This vulnerability is already fixed for most of the Azure services like Azure log analytics etc. The security research organization Wiz found the 4 vulnerabilities on June 01, 2021, and reported them to Microsoft, and MS confirmed this on July 23, 2021.
We don’t know how Azure Log Analytics agent workspaces are impacted, used for some of the reporting services with AVD and Intune. We think Microsoft uses OMI extensively behind the scenes as a common component for many of its management services for VMs.
You can go through Wiz’s blog post linked below to understand the impact. The impact is not only for log analytics, but many other Azure services and Linux VMs impacted with this. The following are the four (4) vulnerabilities already fixed by Microsoft:
- Local privilege escalation vulnerabilities (CVE-2021-38648).
- Local privilege escalation vulnerabilities (CVE-2021-38645).
- Remote command execution vulnerability (CVE-2021-38647).
- Local privilege escalation vulnerabilities (CVE-2021-38649).
What is OMI
Open Management Infrastructure (OMI) is an open-source project available on GitHub. The OMI for Linux-based systems is the same as WMI for Windows-based systems. We think WMI is better than OMI. Do you agree?
Azure Log Analytics Vulnerability
Open Management Infrastructure (OMI) is an open-source project to further the development of a production-quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most UNIX® systems and Linux. In addition to OMI’s small footprint, it also demonstrates very high performance.
As per Wiz, the following OMI ports are accessible to the internet to allow for remote management. The diagram below illustrates the unexpected behavior of OMI when a command execution request is issued with no Authorization header.
NOTE! – Log Analytics does not expose the above ports, so the scope is limited to local privilege escalation for Azure log analytics.
You can look at their documentation to have very detailed information about this issue from Wiz’s blog post.