Regarding the OMIGOD vulnerability

[johanburati]

Wiz’s research team reported that the issue was solved in OMI version 1.6.8.1 in their article on their website.

Microsoft released a patched OMI version (1.6.8.1)

However I just deployed a VM and the OmsAgentForLinux extension installed OMI version 1.6.8.0:

# grep PRETTY /etc/os-release
PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)"

# /opt/omi/bin/omiagent --version
/opt/omi/bin/omiagent: OMI-1.6.8-0 - Wed Jan 13 18:36:50 PST 2021

OMI version 1.6.8-0 is the only version I could see in the repo, could you please confirm if this version is vulnerable or not ?

[johanburati]

I've deployed an Ubuntu VM and it also installs OMI version 1.6.8.0 by default:

# grep PRETTY /etc/os-release
PRETTY_NAME="Ubuntu 20.04.3 LTS"

# /opt/omi/bin/omiagent --version
/opt/omi/bin/omiagent: OMI-1.6.8-0 - Wed Jan 13 18:36:50 PST 2021

[johanburati]

Same on SLES, it installs OMI version 1.6.8-0 by default:

# grep PRETTY /etc/os-release
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP3"

# /opt/omi/bin/omiagent --version
/opt/omi/bin/omiagent: OMI-1.6.8-0 - Wed Jan 13 18:36:50 PST 2021

[johanburati]

For info, to install OMI version 1.6.8-1, you will need to grab the package for your distro on the releases pages and install it manually. I hope it helps.

Can anybody tell us when this version will be installed by default by the extension ?

[JumpingYang001]

@johanburati we have uploaded the packages to MS Repo, you can update it from MS Repo: https://docs.microsoft.com/en-us/windows-server/administration/Linux-Package-Repository-for-Microsoft-Software. Run sudo yum upgrade omi or sudo apt-get upgrade omi or sudo zypper update omi. For the Azure extension, I don't know who manage it.

[mabicca]

I think the point of this is, why do we keep deploying older versions of omi/oms agent and so on on new deployments and we can't keep those up to date? I had this question sent almost a year ago with no responses at all ... https://github.com/Azure/azure-linux-extensions/issues/1210

Yes, it's with the extensions team, but still, this is not acceptable.

[nsao-genetec]

Looks like the APT configs are not pointing to the the abovementioned "MS Repo". So apt-get upgrade omi still installs the old one...

[hugosjobergmedl]

The service is stopped after updating, would recommend restarting it after updating: sudo systemctl start omid

[bureado]

Thank you @johanburati and @nsao-genetec for bringing this to our attention. (Also thank you @mbsnl for cross-referencing the issues.)

Yes, the extension seems to be pulling an older omi package. It looks like it specifically fetches a pinned release. You should see it in the template and can inspect it in your local VM (/var/lib/waagent/<extension folder>/packages/omsagent*sh or similar). It then installs with dpkg, you should be able to confirm that by running apt show omi and inspecting the APT-Manual-Installed flag.

As described by @JumpingYang001, it is possible to setup the packages.microsoft.com repository where the updated omi is available. An apt upgrade should pull that, but if @nsao-genetec is seeing problems with that please let us know which distro/release you're in and how your repo is setup in your sources.list.

[deepakjain111]

@nsao-genetec : Which distro/release are you in? I can get that check. We had tested almost all Linux, OMI is being upgraded to 1.6.8-1. Most likly some repo setup issue on machine. anyhow share the details, i can get that checked.

[voyager163]

For those people, that do not get the update. Please add the Microsoft repo into your VM repo list.

Below is the link for your reference. https://docs.microsoft.com/en-us/windows-server/administration/Linux-Package-Repository-for-Microsoft-Software

After you add the Microsoft repo, remember to perform sudo apt-get update and sudo apt-get upgrade. It will automatic detect that there is a update for OMI and SCX.

[flannoo]

How is this vulnerability impacting PaaS services in Azure (App Service, Azure Kubernetes Service, ...) with underlying linux VM's? Does the OMI vulnerability affect those services as well? Because we don't have access to perform the patch on those VM's, since Microsoft controls that infrastructure.

[skuethe]

If you are running into SSL errors during upgrade via the MS repo (described here), download and install the packages provided by the release page.

F.e. the ubuntu package delivered via MS repo was forcing SSL version 1.0.x, but systems where running SSL version 1.1.x:

Expecting SSL version (compatible with): 1.0.0
SSL version found on system:             1.1.x

Incorrect version of OMI for your system, please check SSL version.

[JumpingYang001]

@flannoo official impact document: https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/