Follow

Holy Sh** has installed the simplest backdoor in your VMs without you knowing about it.

Microsoft Azure silently install management agents on your Linux VMs without an auto update mechanism, so you have to update manually but you don't know they exist because you didn't install them? 🤔

Simply remove the auth header and you are root. Remotely on all machines.🤯

wiz.io/blog/secret-agent-expos

@datenteiler chuckle “Just use the cloud, the providers have better professionals securing things than we can afford”.

@aexiruch @datenteiler aftet three weeks back into the field I have realised how stupid people who think like that are.

You still need to configure.

@datenteiler also, it's quite likely some of these machines are websites storing our personal data.

@datenteiler Well management apps are quite prevalent into VPS/VMs.
Which is why I tend to recommend either installing your own system or at least picking an image where it's easy to inspect like Alpine.

@datenteiler the Takeaway FUD really drags this down 🤷

Otherwise O.M.G. indeed.

@datenteiler azure and the few other massive cloud infra providers hosting millions of machines on uniform codebases and somehow open source practices are to blame lol

@codeforchaos I can't understand the criticism of in the article either. Solarwinds has just shown that a company can also implement such vulnerabilities with closed source software, even if it was not stupidity, but attackers who infiltrated the code.

@datenteiler at my old job we had several people notice and complain about OMI.. But the truth is that the people who are in Azure don't have a choice because their bosses already decided that they're using Azure and using X number of features requiring OMI.

I'm so happy to not be working with cloud infrastructure anymore.

@datenteiler
> Takeaways

Yeah. It all happened because Microsft added its secret sauce to an otherwise open system. But this somehow means open-source bad.

What kind of twisted logic is that.

@drq LOL that they blame open source practices. Microsoft is imho hosting millions of machines on uniform codebases on Azure but then open source software with only 20 contributors on GitHub is to blame? I don't think so, too.🙄

@drq @datenteiler exactly. The actual issue at hand is Microsoft foisting their garbage onto an otherwise proper system.

If you need WinRM to manage linux systems you're doing it completely wrong anyway.

@datenteiler So they wrote a new system for managing Linux hosts. Couldn't they have used one of the existing tools?

And they wrote a) several thousand lines b) of C code c) that runs with high privileges and d) processes network messages? 🤯
Kinda reminds me of the ugly Windows security bugs of the past decades...

And did they really build their own XML parser (github.com/microsoft/omi/blob/)? And their own query language (github.com/microsoft/omi/blob/)?

(1/)

@datenteiler Also, challenge: fix the commit that fixed CVE-2021-38647, and check it for correctness.
It's probably github.com/microsoft/omi/commi ("Enhanced security"); and it contains apparently unrelated changes (?), and macro code. TBH it's no wonder that code was buggy. I rather wonder how many other security bugs are lurking in there.

#Microsoft #security

@datenteiler
Btw. regarding the "Open source is a supply chain risk" takeaway: the top 5 contributors to OMI (from github.com/microsoft/omi/graph) work at Microsoft, according to their profile pages. Actually, 15 of the top 20 contributors do so. I guess that shows the development practices at Microsoft, rather than a risk from Open Source.

#preachingToTheChoir

(3/3)

image description for top post 

Animation showing the flow of commands from both a low-privileged authorised user and a malicious attacker.

First workflow shows a low-privileged authorised user sending a POST request that includes a 'basic authorization header' with a valid password, along with the command /usr/bin/id (which returns basic information about the user's IDs).
The OMI server validates the request and returns the low-privileged user's User ID, username, Group ID, group name and groups they are part of.

Second workflow shows a malicious attacking sending a similar POST request, but this time leaving out the 'authorization' header, along with the command /usr/bin/id (which returns basic information about the user's IDs).
The OMI server again successfully validated the request but this time returns the root user's User ID, username, Group ID, group name and groups.

#ImageDescription #ImageDescriptions #MediaDescription

@datenteiler """the supply chain risk of open source code,""" fuck that article author. It wasn't the open source code that was the risk. It was the closed source malware that was the risk.

@saramg Exactly! I can't understand the criticism of oss either. Solarwinds has just shown that a company can also implement such vulnerabilities with closed source software, even if it was not stupidity, but attackers who infiltrated the code.

@datenteiler
Apparently a lot of people are being told it's their fault for using Open Source. Quite the petty witch hunt going on.

@datenteiler Nah, it is not a bug, it is a feature improving UX! 😜

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.