Full Report
Affected organizations are required to update installed agents that use the OMI cloud middleware software
Analysis Summary
# Vulnerability: Privilege Escalation in Open Management Infrastructure (OMI)
## CVE Details
- CVE ID: CVE-2022-29149
- CVSS Score: 7.8 (High/High, based on context describing it as the "highest score possible for vulnerabilities that allow local privilege escalation")
- CWE: Not explicitly stated, but relates to privilege escalation.
## Affected Systems
- Products: Open Management Infrastructure (OMI)
- Versions: All versions of OMI earlier than 1.6.9-1.
- Configurations: Systems running Azure Linux VMs where OMI is installed (often as part of OMS agent, Azure Automation, Azure Log Analytics, etc.) and auto-update features are not enabled or effective. Specifically vulnerable services mentioned include: OMI as standalone package, System Center Operations Manager (SCOM), Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Diagnostics, Azure HDInsight, Azure Container Monitoring solution, Azure Security Center, and Azure Sentinel.
## Vulnerability Description
CVE-2022-29149 is a privilege escalation vulnerability residing within Open Management Infrastructure (OMI), which functions as middleware software silently installed on Azure Linux VMs to facilitate management tasks. An attacker who has already gained local access can exploit this flaw to elevate their privileges.
## Exploitation
- Status: Validated as exploitable (Wiz Research confirmed exploitation).
- Complexity: Implied Medium/Low, as it requires local access for Privilege Escalation, but the report implies it is a straightforward exploit once local access is present.
- Attack Vector: Local
## Impact
- Confidentiality: High (Implied, based on privilege escalation allowing access to sensitive resources)
- Integrity: High (Implied, based on privilege escalation allowing system modification)
- Availability: High (Implied, based on privilege escalation allowing damaging system operations)
## Remediation
### Patches
- Fixed version: 1.6.9-1. Customers must update OMI to this version or newer. Dependencies like Azure’s Operations Management Suite agent, Desired State Configuration agent, and Azure Diagnostics agent have been onboarded to the Extension Auto-update feature of Azure to help address this.
### Workarounds
- Customers running services that do not support auto-updates must manually update OMI to version 1.6.9-1 or newer.
- If OMI is not installed (i.e., `dpkg -l omi` or `rpm -qa omi` returns no results), the machine is not vulnerable.
## Detection
- **Indicators of Compromise:** Not explicitly detailed, but successful exploitation would involve unauthorized privilege gain by a local user.
- **Detection Methods and Tools:**
- **Manual Check (SSH/Terminal access required):**
- Debian/Ubuntu: `dpkg -l omi`
- RedHat/CentOS/Fedora: `rpm -qa omi`
- **Wiz Customers:** Detection is available via the Wiz Threat Center, which flags vulnerable workloads.
## References
- Vendor Advisory: msrc dot microsoft dot com/update-guide/en-US/vulnerability/CVE-2022-29149
- Wiz Research Blog (Technical Details/Collaboration): wiz dot io/blog/auto-patching-for-omi
- Cloud Middleware Dataset: github dot com/wiz-sec/cloud-middleware-dataset
- Cloud Vulnerability DB: cloudvulndb dot org