cbcvebase.
CVE-2021-38645
published 2021-09-15

CVE-2021-38645: Open Management Infrastructure Elevation of Privilege Vulnerability

PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
1.79%
75.6th percentile
Open Management Infrastructure Elevation of Privilege Vulnerability

Affected

20 ranges
VendorProductVersion rangeFixed in
microsoftazure_automation_update_management>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_diagnostics>= 3.0.0 < LAD v4.0.13 and LAD v3.0.135LAD v4.0.13 and LAD v3.0.135
microsoftazure_security_center>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_sentinel>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_stack_hub>= 1.0.0 < Monitor, Update and Config Mgmnt 1.14.01Monitor, Update and Config Mgmnt 1.14.01
microsoftazure_stack_hub>= 1.0.0 < 3.1.1353.1.135
microsoftcontainer_monitoring_solution>= 1.0.0 < publicationpublication
microsoftlog_analytics_agent>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftopen_management_infrastructure>= 16.0 < OMI Version 1.6.8-1OMI Version 1.6.8-1
microsoftsystem_center_operations_manager>= 1.0.0 < OMI version: 1.6.8-1OMI version: 1.6.8-1
msrcazure_automation_state_configuration_dsc_extension
msrcazure_automation_update_management
msrcazure_diagnostics
msrcazure_security_center
msrcazure_sentinel
msrcazure_stack_hub
msrccontainer_monitoring_solution
msrclog_analytics_agent
msrcopen_management_infrastructure
msrcsystem_center_operations_manager

Detection & IOCsextracted from sources · hover to see the quote

port5986
port5985
port1270
processomiserver
processomiengine
path/opt/omi/bin/omicli
snort
SID 58169
  • For CVE-2021-38645 (local privilege escalation), detect exploitation by monitoring for OMI command execution requests sent to the omiengine UNIX socket that skip the authentication handshake — the request omits the authentication part and is forwarded directly to omiserver with default uid=0/gid=0 privileges.
  • Monitor for unexpected processes spawned as uid=0/gid=0 (root) originating from omiserver or omiengine, which would indicate successful privilege escalation via CVE-2021-38645.
  • Hunt for cryptocurrency miner (coin miner) processes on Azure Linux VMs running OMI, as active exploitation of OMIGOD has been observed installing coin miners.
  • Monitor for Mirai botnet activity targeting OMI ports on Azure Linux VMs, as Mirai was observed launching mass exploitation attempts against OMIGOD vulnerabilities.
  • Use GreyNoise GNQL query 'cve:CVE-2021-38647' to identify opportunistic scanning/exploitation IPs targeting OMIGOD vulnerabilities.
  • ·The RCE variant (CVE-2021-38647) requires OMI ports to be externally exposed; CVE-2021-38645 is a local privilege escalation and does not require external port exposure — it affects all OMI installations regardless of network exposure.
  • ·OMI is silently installed on Azure Linux VMs when certain services are enabled (Azure Automation, OMS, Log Analytics, etc.) without explicit customer knowledge; inventory checks should not rely on customer awareness of OMI presence.
  • ·Microsoft's initial remediation guidance was ineffective; Azure Linux machines were not configured to the repository where the fixed OMI version was located. Verify patching was actually applied rather than relying solely on Microsoft's initial advisory.
  • ·The patch commit was visible in the OMI GitHub repository for over a month before official disclosure, meaning threat actors may have developed exploits prior to the September 14, 2021 Patch Tuesday release.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.