Fixed Azure Log Analytics Vulnerability because of OMI

Let’s have a look at the Azure log analytics vulnerability. This vulnerability is already fixed for most of the Azure services like Azure log analytics etc. The security research organization Wiz found the 4 vulnerabilities on June 01, 2021, and reported them to Microsoft, and MS confirmed this on July 23, 2021.

We don’t know how Azure Log Analytics agent workspaces are impacted, used for some of the reporting services with AVD and Intune. We think Microsoft uses OMI extensively behind the scenes as a common component for many of its management services for VMs.

You can go through Wiz’s blog post linked below to understand the impact. The impact is not only for log analytics, but many other Azure services and Linux VMs impacted with this. The following are the four (4) vulnerabilities already fixed by Microsoft:

Patch My PC
  • Local privilege escalation vulnerabilities (CVE-2021-38648).
  • Local privilege escalation vulnerabilities (CVE-2021-38645).
  • Remote command execution vulnerability (CVE-2021-38647).
  • Local privilege escalation vulnerabilities (CVE-2021-38649).

What is OMI

Open Management Infrastructure (OMI) is an open-source project available on GitHub. The OMI for Linux-based systems is the same as WMI for Windows-based systems. We think WMI is better than OMI. Do you agree?

Azure Log Analytics Vulnerability

Open Management Infrastructure (OMI) is an open-source project to further the development of a production-quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most UNIX┬« systems and Linux. In addition to OMI’s small footprint, it also demonstrates very high performance.

As per Wiz, the following OMI ports are accessible to the internet to allow for remote management. The diagram below illustrates the unexpected behavior of OMI when a command execution request is issued with no Authorization header.

1E Nomad
  • 5986
  • 5985
  • 1270

NOTE! – Log Analytics does not expose the above ports, so the scope is limited to local privilege escalation for Azure log analytics.

Azure Log Analytics Vulnerability
Azure Log Analytics Vulnerability Pic Credit to Wiz

You can look at their documentation to have very detailed information about this issue from Wiz’s blog post.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.