CVE-2022-29149: Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Jun

Released

2022-06-14

Last Updated

2022-07-25

EPSS Score

0.21% (percentile: 43.4%)

FAQ

What is OMI? Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Azure Virtual Machine (VM) management extensions mentioned in this CVE use this framework to orchestrate configuration management and log collection on Linux VMs. Refer to this link for more details: GitHub - microsoft/omi: Open Management Infrastructure. What versions of OMI are vulnerable? OMI versions v1.6.9-0 and below are vulnerable. How can an attacker exploit the vulnerability? In OMI, internal process communication is authenticated by using a key that consists of a random number. The method used to generate the random number can be spoofed by an attacker to manipulate the OMI communications to gain elevated privileges. The attacker must be locally logged in to the machine on which the OMI components are running. How do the updates address the vulnerability? The randomly generated string-based authentication mechanism has been replaced with a mechanism that ensures appropriate access control on the local socket that is used for communication between the OMI components. How can I determine which VMs are impacted by this vulnerability? Azure VMs that use the VM Management Extensions listed in the following table are impacted. All customers that are impacted will be notified directly. To identify the affected VMs in their Azure subscriptions, customers can use one of the following methods: Use Microsoft Defender for Cloud to find machines affected by this vulnerability. To identify an Azure VM for the vulnerable extensions, leverage Azure Portal or Azure CLI as described in this article. If the reported extension versions match the versions listed for the ‘Fixed Extension Versions’ in the following table, no further action is required. If they do not match, then please follow the instructions given in the table. To scan an Azure subscription for vulnerable VMs use the script here. This script can also b

Affected Products (12)

Azure

• Azure Automation State Configuration, DSC Extension
• Azure Automation Update Management
• Log Analytics Agent
• Azure Diagnostics (LAD)
• Container Monitoring Solution
• Azure Security Center
• Azure Sentinel
• Azure Stack Hub
• Open Management Infrastructure

System Center

• System Center Operations Manager (SCOM) 2022
• System Center Operations Manager (SCOM) 2019
• System Center Operations Manager (SCOM) 2016

Security Updates (5)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

<a href="https://twitter.com/rohitg5249">Rohit Gurunath</a> and <a href="https://twitter.com/logan0x05?lang=en">Logan Gabriel</a>

Revision History

• 2022-06-14: Information published.
• 2022-07-07: Updated the FAQs to further clarify the update guidance for this CVE. This is an informational change only.
• 2022-07-18: Updated the FAQs to further clarify the update guidance for this CVE. This is an informational change only.
• 2022-07-25: Added acknowledgements. This is an informational change only.