RSS

Azure WALinuxAgent Backdoor

WALinuxAgent is is Microsoft Azure Linux Agent with root access (backdoor?). Remove it if you do not use it.
Last Update:

WALinuxAgent is Microsoft Azure Linux Agent with root access (backdoor?). It is pretty powerful to manage Linux on Azure. The source code is host at github Azure/WALinuxAgent .

The Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. It provides the following functionality for Linux IaaS deployments:

  • Image Provisioning

    • Creation of a user account
    • Configuring SSH authentication types
    • Deployment of SSH public keys and key pairs
    • Setting the host name
    • Publishing the host name to the platform DNS
    • Reporting SSH host key fingerprint to the platform
    • Resource Disk Management
    • Formatting and mounting the resource disk
    • Configuring swap space

  • Networking

    • Manages routes to improve compatibility with platform DHCP servers
    • Ensures the stability of the network interface name

  • Kernel

    • Configure virtual NUMA (disable for kernel <2.6.37)
    • Consume Hyper-V entropy for /dev/random
    • Configure SCSI timeouts for the root device (which could be remote)

  • Diagnostics

    • Console redirection to the serial port

  • SCVMM Deployments

    • Detect and bootstrap the VMM agent for Linux when running in a System Center Virtual Machine Manager 2012R2 environment

  • VM Extension

    • Inject component authored by Microsoft and Partners into Linux VM (IaaS) to enable software and configuration automation
    • VM Extension reference implementation on GitHub

With walinuxagent, in Azure portal you can use execute command with root permission. You can also reset ssh login info etc.

If you do not want to Azure to control your VM, you should disable walinuxagent or remove it.

To check the current walinuxagent service status on Debian buster

$ systemctl list-unit-files | grep agent
waagent-apt.service                    enabled
waagent-provision.service              static
waagent-resourcedisk.service           static
walinuxagent.service                   enabled

To stop and disable walinuxagent service:

$ sudo systemctl stop walinuxagent
$ sudo systemctl disable walinuxagent
Synchronizing state of walinuxagent.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable walinuxagent
insserv: warning: current start runlevel(s) (empty) of script `walinuxagent' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `walinuxagent' overrides LSB defaults (0 1 6).
Removed /etc/systemd/system/multi-user.target.wants/walinuxagent.service.

To query list the agent on Debian buster:

$ sudo dpkg -l|grep waagent
ii  waagent     2.2.34-4    all     Windows Azure Linux Agent

To remove it on Debian:

$ sudo apt-get purge waagent -y
$ sudo apt-get autoremove -y

References