⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2021-11-17.

CVE-2021-38647

CWE-1390CWE-287Improper AuthenticationCWE-66517 documents11 sources
Severity
9.8CRITICAL
EPSS
94.4%
top 0.04%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
9
Microsoft Azure Automation Update ManagementMicrosoft Azure Diagnostics (lad)Microsoft Azure Security Center+6 more
Timeline
PublishedSep 15
KEV addedNov 3
KEV dueNov 17
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Open Management Infrastructure Remote Code Execution Vulnerability

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages9 packages

CVEListV5microsoft/open_management_infrastructure16.0OMI Version 1.6.8-1
CVEListV5microsoft/azure_automation_update_management1.0.0OMS Agent for Linux GA v1.13.40-0
CVEListV5microsoft/azure_sentinel1.0.0OMS Agent for Linux GA v1.13.40-0
CVEListV5microsoft/azure_stack_hub1.0.0Monitor, Update and Config Mgmnt 1.14.01+1
CVEListV5microsoft/log_analytics_agent1.0.0OMS Agent for Linux GA v1.13.40-0

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

3
GHSA
GHSA-rp2g-5hw2-q565: Open Management Infrastructure Remote Code Execution Vulnerability2022-05-24
CVEList
Open Management Infrastructure Remote Code Execution Vulnerability2021-09-15
VulnCheck
Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability2021

💥Exploits & PoCs

1
Nuclei
Microsoft Open Management Infrastructure - Remote Code Execution

🔍Detection Rules

3
Suricata
ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M22021-09-16
Suricata
ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M12021-09-15
Suricata
ET INFO Possible Microsoft OMI Agent Default TLS Certificate Observed2021-09-15

📋Vendor Advisories

2
CISA
Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability2021-11-03
Microsoft
Open Management Infrastructure Remote Code Execution Vulnerability2021-09-14

🕵️Threat Intelligence

4
Unit42
Network Security Trends: August-October 20212021-12-21
Unit42
Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)2021-09-16
Wiz
OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers | Wiz Blog2021-09-14
Wiz
OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers | Wiz Blog2021-09-14
CVE-2021-38647 (CRITICAL CVSS 9.8) | Open Management Infrastructure Remo | cvebase.io