Low severity vulnerability in Linux VMs patch
TL;DR: We have found a low severity vulnerability in Linux VMs. It has been patched for newly created VMs. Existing VMs can be self-service patched by downloading and running the script below.
What happened?
While troubleshooting a Linux VM, we recently uncovered a low severity vulnerability regarding logging into Linux VMs. We found that it was possible to log in to a Linux VM when someone is not a member of that Workspace, but provided that the user has very advanced permissions on a mydre account and manually added permissions to use an organisation’s Bastion instance. This combination of permissions is restricted to the anDREa Support Team for troubleshooting. Workspace users are not able to gain these permissions.
How did this happen?
Domain joining of the VM makes it possible for anyone with a myDRE account to log in to a VM and every other account is rejected. On top of that there is code to make this specific to users of the particular Workspace. That part of the code was not behaving as expected. This was not earlier found as users would not be able to reach the resources in other Workspaces through Azure. But if such permissions would be granted then it would be possible to log in to a Linux VM in a Workspace where they are not a member. Anyone that logs in to a VM this way would not have sudo access on the VM, only read access.
What are the implications?
This impacts all Linux VMs. However the permission mentioned above are mainly restricted to the anDREa Support Team. By default, the anDREa Support Team does not have access to the tenant's Bastion resource.
Risk: With the above, the risk level was set to Low.
About the patch
Included in this announcement is a script that can be used to fix the vulnerability on an existing Linux VM, newly created Linux VMs will have this patch included. This fix will restrict logins purely to workspace members, as initially intended. This script has to be run once on each existing Linux VM. The simplest way to get this script in your Workspace is to use the file upload feature in the myDRE portal.
To run the script:
Download the script in this article.
Upload the script to your Workspace.
Login to your Linux VM and open the console.
Run the script with the following commands:
cp /mnt/data/inbox/transfer-<time of upload>/DreDomainLogin.sh ./
sudo ./DreDomainLogin.sh
Enter the acronym of the workspace when prompted and press Enter.
The workspace acronym is the max 8 letter unique identifier of the workspace. An example below:
Related Articles
[Action needed] Low severity vulnerability in Linux VMs
While troubleshooting a Linux VM, we recently uncovered a low severity vulnerability regarding logging into Linux VMs. A fix has been deployed to patch the issue in new VMs (i.e. VMs that are newly created from now on). Users can self-service patch ...Linux VMs
On the myDRE platform different types of Linux virtual machines (VMs) are available. CentOS 7.5 (is reaching its end of life) Ubuntu 20 (for GPU usage) Ubuntu 22 By default, Linux VMs have no connection to the outside world, so cannot be directly ...cURL vulnerability
We were informed that two vulnerabilities have been discovered in cURL. cURL is a popular open source library used to transfer data via URLs. As one of the most widely used open source projects, it is included in many standard Linux distributions. On ...Turn Proxy Off/On on Linux VM
1. Log in to the Linux VM 2. Write command sudo nano /etc/environment press enter and enter your password 3. comment out all the content that you find in there e.g #http_proxy="http://127.0.0.1:8080" 4. Press ctrl + x to exit, save with y and press ...Install NVIDIA GPU drivers on N-Series VMs running Linux
NVIDIA GPU Driver for Linux N-Series VMs Requirements Domain Allowlisting: microsoft.com developer.download.nvidia.com archive.ubuntu.com N-series VM running Ubuntu20 or Ubuntu22. GCC C-compiler installed on the Linux VM. After installing the NVIDIA ...