cbcvebase.
CVE-2021-38648
published 2021-09-15

CVE-2021-38648: Open Management Infrastructure Elevation of Privilege Vulnerability

PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
10.93%
95.3th percentile
Open Management Infrastructure Elevation of Privilege Vulnerability

Affected

20 ranges
VendorProductVersion rangeFixed in
microsoftazure_automation_update_management>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_diagnostics>= 3.0.0 < LAD v4.0.13 and LAD v3.0.135LAD v4.0.13 and LAD v3.0.135
microsoftazure_security_center>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_sentinel>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_stack_hub>= 1.0.0 < Monitor, Update and Config Mgmnt 1.14.01Monitor, Update and Config Mgmnt 1.14.01
microsoftazure_stack_hub>= 1.0.0 < 3.1.1353.1.135
microsoftcontainer_monitoring_solution>= 1.0.0 < publicationpublication
microsoftlog_analytics_agent>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftopen_management_infrastructure>= 16.0 < OMI Version 1.6.8-1OMI Version 1.6.8-1
microsoftsystem_center_operations_manager>= 1.0.0 < OMI version: 1.6.8-1OMI version: 1.6.8-1
msrcazure_automation_state_configuration_dsc_extension
msrcazure_automation_update_management
msrcazure_diagnostics
msrcazure_security_center
msrcazure_sentinel
msrcazure_stack_hub
msrccontainer_monitoring_solution
msrclog_analytics_agent
msrcopen_management_infrastructure
msrcsystem_center_operations_manager

Detection & IOCsextracted from sources · hover to see the quote

port5986
port5985
port1270
path/opt/omi/bin/omicli
snort
SID 58169
  • For CVE-2021-38648 (local privilege escalation), detect exploitation by monitoring for OMI UNIX socket requests that skip the authentication handshake — specifically, command execution requests (e.g. SCX provider ExecuteShellCommand) forwarded to omiserver without a preceding authentication exchange, resulting in uid=0/gid=0 execution.
  • Detect HTTP/HTTPS requests to OMI management ports (5986, 5985, 1270) that are missing the Authorization header — this is the exploit primitive shared between CVE-2021-38647 (RCE) and CVE-2021-38648 (LPE).
  • Alert on processes spawned as uid=0/gid=0 originating from omiserver or omiengine, especially when the parent process chain does not include a legitimate authenticated omicli session.
  • Use Snort SID 58169 to detect OMIGOD exploitation attempts (covers CVE-2021-38648 among the OMIGOD set) as published by Cisco Talos.
  • Monitor for cryptocurrency miner (coin miner) installation on Azure Linux VMs as a post-exploitation indicator following OMIGOD exploitation.
  • Threat intelligence: monitor for Mirai botnet activity targeting OMI ports, as Mirai was observed launching mass exploitation attempts against OMIGOD vulnerabilities.
  • ·CVE-2021-38648 is a LOCAL privilege escalation only — it does not enable remote exploitation unless combined with another initial access vector. The UNIX socket (not the HTTPS port) is the attack surface for this CVE.
  • ·CVE-2021-38648 affects all OMI installations prior to version 1.6.8-1. Patched version is 1.6.8-1 and above. Verify OMI version on all Azure Linux VMs, as automatic updates may not cover all deployment types.
  • ·OMI is silently installed on Azure Linux VMs when certain services are enabled (Azure Automation, OMS, Log Analytics, etc.), meaning many customers may be unaware they are running a vulnerable OMI instance.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.