Finding Azure Linux VMs running OMI services
Details on vulnerabilities present in some Azure Linux VMs, collectively referred to as “OMIGOD”, came to light this week via published research by the cloud security folks at Wiz.io. These vulnerabilities are found in the Open Management Infrastructure software that Microsoft automatically installs in certain Azure Linux VMs. They include an unauthenticated root-level code execution vulnerability (CVE-2021-38647; CVSS base score of 9.8) and three privilege escalation vulnerabilities:
While patches were made last month for OMIGOD vulnerabilities, there have been reports this week that some new Azure Linux VM instances are still provisioning the vulnerable OMI code. Microsoft has provided guidance on ensuring folks are running the latest, patched OMI software. Wiz provided remediation recommendations via limiting network access to OMI WSMAN ports 5985, 5986, and 1270.
Fingerprinting WSMAN #
We recently added support to the v2.6.4 runZero Explorers and scanners to discover WSMAN services on your network-connected assets. Web Services-Management (WSMAN) is a protocol designed for the management of systems and services, and it can be found in a number of technologies, including Microsoft’s WinRM and some BMC devices. The OMI WSMAN implementation is where the OMIGOD vulnerabilities exist, and Rumble scans can identify the vendor and version of a WSMAN service with exposed ports.
Pulling WSMAN details can be done via POST request of a short SOAP message containing the wsmid:Identify
operation. A successful reply to this request will arrive in the form of a SOAP message containing product details. While adding this capability, we discovered that the OMI WSMAN implementation does not reply to HTTP requests unless a valid Content-Type
header is present in the request, which was unexpected.
Finding Azure Linux VMs running OMI services #
Once you have scanned your assets with a v2.6.4+ explorer or scanner, navigate to your Services Inventory and use the following pre-built query to identify systems running the OMI WSMAN service:
_asset.protocol:wsman AND wsman.productVendor:="Open Management Infrastructure" AND (wsman.productVersion:=0.% or wsman.productVersion:=1.0.% or wsman.productVersion:=1.1.% or wsman.productVersion:1.2.% or wsman.productVersion:=1.3.% or wsman.productVersion:=1.4.% or wsman.productVersion:=1.5.% or wsman.productVersion:=1.6.0-% or wsman.productVersion:=1.6.1-% or wsman.productVersion:=1.6.2-% or wsman.productVersion:=1.6.3-% or wsman.productVersion:=1.6.4-% or wsman.productVersion:=1.6.5-% or wsman.productVersion:=1.6.6-% or wsman.productVersion:=1.6.7-% or wsman.productVersion:=1.6.8-0)

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
Get runZero for free
Don’t have runZero and need help finding Linux instances running OMI services?
Get started

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.
Similar Content
September 29, 2023
How to find WS_FTP Server instances?
How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …
Read MoreSeptember 26, 2023
How to find TeamCity instances
How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …
Read MoreSeptember 12, 2023
How to find OpenSSL 1.1 instances
How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …
Read More