1. 14
  1.  

  2. 5

    I’m confused about the threat model of the OMI agent and the commit that fixes this security issue. I’m also still confused what the OMI agent is.

    RE: the fix, This is the code fix in the OMI agent: https://github.com/microsoft/omi/commit/4ce2cf1. It’s very tempting to say “lol this is C, memory safety, let’s re-write it”, but if you look at this commit closely especially http.c…it looks like there is a handler struct whose uid and gid fields are uninitialized, so in C they will keep the default value of 0, which happens to be root. That’s super interesting and unfortunate, I would argue not a memory safety issue more of an invariants issue.

    In the commit there are some new mentions of something called a “secret string”, what is it I wonder, this commit adds some conditional checks on it…and it’s initialized here: https://github.com/microsoft/omi/blob/e4d7248/Unix/server/server.c#L614. I think the idea is that on startup the server generates a random string, and only processes able to talk on a local socket can fetch it in order to talk to the OMI agent?

    It’s always hard to read code you’re unfamiliar with, but this left me with a murky feeling and desperately wanting to see a threat model.

    RE: what it is, if you go to the CVE pages Microsoft’s first paragraph for each is:

    Open Management Infrastructure (OMI) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most UNIX® systems and Linux. In addition to OMI’s small footprint, it also demonstrates very high performance.

    What?

    1. What problem does the OMI agent solve?
    2. How does the OMI agent solve this problem? Why does it need to be remotely accessible?
    3. How does this problem justify this agent being installed by default on all Azure Linux instances?

    I think these questions are answered here https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-linux and are obvious to Azure users, but should be front-and-center.

    1. 3

      This kind of thing is part of the reason that I have started working on a minimal Azure Instance Metadata Service client for FreeBSD. The official Azure agent is huge blob of Python with a load of dependencies, I want something tiny that has the absolute minimum functionality necessary to configure a VM.