Microsoft Azure silently install management agents on your Linux VMs without an auto update mechanism, so you have to update manually but you don't know they exist because you didn't install them? 🤔
Simply remove the auth header and you are root. Remotely on all machines.🤯
@datenteiler chuckle “Just use the cloud, the providers have better professionals securing things than we can afford”.
@datenteiler azure and the few other massive cloud infra providers hosting millions of machines on uniform codebases and somehow open source practices are to blame lol
@datenteiler at my old job we had several people notice and complain about OMI.. But the truth is that the people who are in Azure don't have a choice because their bosses already decided that they're using Azure and using X number of features requiring OMI.
I'm so happy to not be working with cloud infrastructure anymore.
Yeah. It all happened because Microsft added its secret sauce to an otherwise open system. But this somehow means open-source bad.
What kind of twisted logic is that.
@drq LOL that they blame open source practices. Microsoft is imho hosting millions of machines on uniform codebases on Azure but then open source software with only 20 contributors on GitHub is to blame? I don't think so, too.🙄
@datenteiler So they wrote a new system for managing Linux hosts. Couldn't they have used one of the existing tools?
And they wrote a) several thousand lines b) of C code c) that runs with high privileges and d) processes network messages? 🤯
Kinda reminds me of the ugly Windows security bugs of the past decades...
And did they really build their own XML parser (https://github.com/microsoft/omi/blob/master/Unix/xml/xml.c)? And their own query language (https://github.com/microsoft/omi/blob/master/Unix/wql/wql.txt)?
@datenteiler Also, challenge: fix the commit that fixed CVE-2021-38647, and check it for correctness.
It's probably https://github.com/microsoft/omi/commit/4ce2cf1cb0aa656b8eb934c5acc3f4d6a6796bfa ("Enhanced security"); and it contains apparently unrelated changes (?), and macro code. TBH it's no wonder that code was buggy. I rather wonder how many other security bugs are lurking in there.
Btw. regarding the "Open source is a supply chain risk" takeaway: the top 5 contributors to OMI (from https://github.com/microsoft/omi/graphs/contributors) work at Microsoft, according to their profile pages. Actually, 15 of the top 20 contributors do so. I guess that shows the development practices at Microsoft, rather than a risk from Open Source.
image description for top post
Animation showing the flow of commands from both a low-privileged authorised user and a malicious attacker.
First workflow shows a low-privileged authorised user sending a POST request that includes a 'basic authorization header' with a valid password, along with the command /usr/bin/id (which returns basic information about the user's IDs).
The OMI server validates the request and returns the low-privileged user's User ID, username, Group ID, group name and groups they are part of.
Second workflow shows a malicious attacking sending a similar POST request, but this time leaving out the 'authorization' header, along with the command /usr/bin/id (which returns basic information about the user's IDs).
The OMI server again successfully validated the request but this time returns the root user's User ID, username, Group ID, group name and groups.
@datenteiler """the supply chain risk of open source code,""" fuck that article author. It wasn't the open source code that was the risk. It was the closed source malware that was the risk.
@saramg Exactly! I can't understand the criticism of oss either. Solarwinds has just shown that a company can also implement such vulnerabilities with closed source software, even if it was not stupidity, but attackers who infiltrated the code.
Apparently a lot of people are being told it's their fault for using Open Source. Quite the petty witch hunt going on.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.