[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears ... OMIGOD

[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears … OMIGOD

The September 2021 Patch Tuesday could be remembered as the final patching attempt in the PrintNightmare… nightmare. The ease with which the vulnerabilities shrugged off the August patches doesn’t look to get a rerun. So far we haven’t seen any indications that this patch is so easy to circumvent.

The total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are “old friends”. There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious.

Azure was the subject of five CVE’s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD.

PrintNightmare

PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a malicious printer driver to a vulnerable machine, and could use their new-found superpowers to install programs; view, change, or delete data; or create new accounts with full user rights.

The problem was made worse by significant confusion about whether PrintNightmare was a known, patched problem or an entirely new problem, and by repeated, at best partially-successful, attempts to patch it.

This month, Microsoft patched the remaining Print Spooler vulnerabilities under CVE-2021-36958. Fingers crossed.

MSHTML

This zero-day vulnerability that felt like a ghost from the past (it involved ActiveX, remember that?) was only found last week, but has attracted significant attention. It was listed as CVE-2021-40444, a Remote Code Execution (RCE) vulnerability in Microsoft MSHTML.

Threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker was able to follow step-by-step instructions in order to launch their own attacks. Microsoft published mitigation instructions that disabled the installation of new ActiveX controls, but this turned out to be easy to work around for attackers.

Given the short window of opportunity, there was some doubt about whether a fix would be included in this Patch Tuesday, but it looks like Microsoft managed to pull it off.

DNS elevation of privilege vulnerability

This vulnerability was listed as CVE-2021-36968 and affects systems running Windows Server 2008 R2 SP1, SP2 and Windows 7 SP1. It exists due to an application that does not properly impose security restrictions in Windows DNS. The vulnerability is listed as a zero-day because it has been publicly disclosed, not because it is actively being exploited.

Microsoft says that exploitation is “less likely”, perhaps because it requires initial authentication and can only be exploited locally. If these conditions are met this bug can be used to accomplish elevation of privilege (EoP).

OMIGOD

OMIGOD is the name for a set of four vulnerabilities in the Open Management Infrastructure (OMI) that you will find embedded in many popular Azure services. The CVEs are:

The researchers that discovered the vulnerabilities consider OMIGOD to be a result of the supply-chain risks that come with using open-source code:

Wiz’s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.

OMI runs as root (the highest privilege level) and is activated within Azure when users enable certain services, like distributed logging, or other management tools and services. It’s likely that many users aren’t even aware they have it running.

The RCE vulnerability (CVE-2021-38647) can be exploited in situations where the OMI ports are accessible to the Internet to allow for remote management. In this configuration, any user can communicate with it using a UNIX socket or via an HTTP API, and any user can abuse it to remotely execute code or escalate privileges.

A coding mistake means that any incoming request to the service without an authorization header has its privileges default to uid=0, gid=0, which is root.

OMIGOD, right?

The researchers report that the flaw can only be used to remotely takeover a target when OMI exposes the HTTPS management port externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM). Other Azure services (such as Log Analytics) do not expose this port, so in those cases the scope is limited to local privilege escalation.

They advise all Azure customers to connect to their Azure VMs and run the commands below in their terminal to ensure OMI is updated to the latest version:

  • For Debian systems (e.g., Ubuntu):
    dpkg -l omi
  • For Redhat based system (e.g., Fedora, CentOS, RHEL):
    rpm -qa omi

If OMI isn’t installed, the commands won’t return any results, and your machine isn’t vulnerable. Version 1.6.8.1 is the patched version. All earlier versions need to be patched.

Update September 17, 2021

After a proof-of-concept exploit was published on code hosting website GitHub, attackers we re noticed to be looking for Linux servers running on Microsoft’s Azure cloud infrastructure. These systems are vulnerable to the security flaw called OMIGOD.

According to reports from security researchers the attackers use the OMIGOD exploit, to deploy malware that ensnares the hacked server into cryptomining or DDoS botnets.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.