CVE-2022-29149

FAQ

What is OMI?

Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Azure Virtual Machine (VM) management extensions mentioned in this CVE use this framework to orchestrate configuration management and log collection on Linux VMs.

Refer to this link for more details: GitHub - microsoft/omi: Open Management Infrastructure.

What versions of OMI are vulnerable?

OMI versions v1.6.9-0 and below are vulnerable.

How can an attacker exploit the vulnerability?

In OMI, internal process communication is authenticated by using a key that consists of a random number. The method used to generate the random number can be spoofed by an attacker to manipulate the OMI communications to gain elevated privileges. The attacker must be locally logged in to the machine on which the OMI components are running.

How do the updates address the vulnerability?

The randomly generated string-based authentication mechanism has been replaced with a mechanism that ensures appropriate access control on the local socket that is used for communication between the OMI components.

How can I determine which VMs are impacted by this vulnerability?

Azure VMs that use the VM Management Extensions listed in the following table are impacted. All customers that are impacted will be notified directly.

To identify the affected VMs in their Azure subscriptions, customers can use one of the following methods:

• Use Microsoft Defender for Cloud to find machines affected by this vulnerability.

• To identify an Azure VM for the vulnerable extensions, leverage Azure Portal or Azure CLI as described in this article. If the reported extension versions match the versions listed for the ‘Fixed Extension Versions’ in the following table, no further action is required. If they do not match, then please follow the instructions given in the table.

• To scan an Azure subscription for vulnerable VMs use the script here. This script can also be used to patch the affected VMs using the upgradeOMI parameter.

  • Note that the script identifies machines based on the vulnerable OMI version. The OMI can be installed as a standalone package or get installed along with the specified VM extensions. The script would determine a VM as affected in both cases.
  • The VM should not be deallocated for the script to determine if it is affected.
  • The ‘upgradeOMI’ parameter will upgrade the OMI package on the machine with no downtime and does not require a VM reboot.
  • The script upgrades the OMI version only. The VM extensions for other products are not updated. The extensions need to be updated separately by following the instructions given in the following table.

What products are affected by this vulnerability and how can I protect myself?

The following table lists the affected services and the required customer action to protect against this vulnerability.