CVE-2021-38649
published 2021-09-15CVE-2021-38649: Open Management Infrastructure Elevation of Privilege Vulnerability
PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
1.90%
77.0th percentile
Open Management Infrastructure Elevation of Privilege Vulnerability
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | azure_automation_update_management | >= 1.0.0 < OMS Agent for Linux GA v1.13.40-0 | OMS Agent for Linux GA v1.13.40-0 |
| microsoft | azure_diagnostics | >= 3.0.0 < LAD v4.0.13 and LAD v3.0.135 | LAD v4.0.13 and LAD v3.0.135 |
| microsoft | azure_security_center | >= 1.0.0 < OMS Agent for Linux GA v1.13.40-0 | OMS Agent for Linux GA v1.13.40-0 |
| microsoft | azure_sentinel | >= 1.0.0 < OMS Agent for Linux GA v1.13.40-0 | OMS Agent for Linux GA v1.13.40-0 |
| microsoft | azure_stack_hub | >= 1.0.0 < Monitor, Update and Config Mgmnt 1.14.01 | Monitor, Update and Config Mgmnt 1.14.01 |
| microsoft | azure_stack_hub | >= 1.0.0 < 3.1.135 | 3.1.135 |
| microsoft | container_monitoring_solution | >= 1.0.0 < publication | publication |
| microsoft | log_analytics_agent | >= 1.0.0 < OMS Agent for Linux GA v1.13.40-0 | OMS Agent for Linux GA v1.13.40-0 |
| microsoft | open_management_infrastructure | >= 16.0 < OMI Version 1.6.8-1 | OMI Version 1.6.8-1 |
| microsoft | system_center_operations_manager | >= 1.0.0 < OMI version: 1.6.8-1 | OMI version: 1.6.8-1 |
| msrc | azure_automation_state_configuration_dsc_extension | — | — |
| msrc | azure_automation_update_management | — | — |
| msrc | azure_diagnostics | — | — |
| msrc | azure_security_center | — | — |
| msrc | azure_sentinel | — | — |
| msrc | azure_stack_hub | — | — |
| msrc | container_monitoring_solution | — | — |
| msrc | log_analytics_agent | — | — |
| msrc | open_management_infrastructure | — | — |
| msrc | system_center_operations_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SID 58169
- →CVE-2021-38649 is a local privilege escalation in OMI exploited by intercepting omicli-to-omiengine UNIX socket communication, omitting the authentication handshake, and reissuing a command execution request — the command executes as root (uid=0, gid=0) due to an uninitialized AuthInfo struct. ↗
- →Alert on OMI processes (omiserver, omiengine) spawning unexpected child processes as uid=0/gid=0, especially when initiated by low-privileged users — this is the hallmark of OMIGOD privilege escalation exploitation. ↗
- →Monitor for active exploitation of OMIGOD by DDoS botnets (Mirai) and cryptominers targeting Azure Linux VMs; coin miner installation is a confirmed post-exploitation indicator. ↗
- →Use Talos Snort SID 58169 to detect exploitation attempts against the OMIGOD vulnerability set including CVE-2021-38649. ↗
- ·CVE-2021-38649 is a local privilege escalation only; remote exploitation requires ports 5986/5985/1270 to be exposed, which is NOT the default for most Azure services using OMI (e.g. Log Analytics). The LPE path is via the local UNIX socket. ↗
- ·Affected OMI versions are 1.6.8.0 and below; fixed version is 1.6.8-1 and above. Patching occurs through the parent Azure service that installed OMI, not directly — customers must verify their environment is running the patched version. ↗
- ·Microsoft's initial remediation guidance was ineffective — Azure Linux machines were not configured to the repository where the fixed OMI version was located. Customers should verify the fix was actually applied. ↗
- ·The vulnerability patch commit was silently pushed to the public OMI GitHub repo on August 12, 2021 — over a month before official disclosure — meaning threat actors could have developed exploits from the patch diff before customers had any notification. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.0HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2021-38649 [HIGH] Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability
Vulnerability: Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability
Affected: Microsoft Open Management Infrastructure (OMI)
Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-38649
Remediation Due Date: 2021-11-17
Microsoft
Open Management Infrastructure Elevation of Privilege Vulnerability
vendor_msrc·2021-09-14·CVSS 7.0
CVE-2021-38649 [HIGH] Open Management Infrastructure Elevation of Privilege Vulnerability
Open Management Infrastructure Elevation of Privilege Vulnerability
FAQ: Update 9/16/2021: Where can I find more information about how to know if I'm protected and what steps can be taken to be protected?
Please see Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions for more information.
What is OMI?
Open Management Infrastructure (OMI) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor.
GHSA
GHSA-9rvc-mxjm-qh6v: Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38645, CVE-2021-38648
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2021-38649 [HIGH] CWE-269 GHSA-9rvc-mxjm-qh6v: Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38645, CVE-2021-38648
Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38645, CVE-2021-38648.
GHSA
GHSA-727j-58h7-43f5: Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38648, CVE-2021-38649
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2021-38645 [HIGH] CWE-269 GHSA-727j-58h7-43f5: Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38648, CVE-2021-38649
Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38648, CVE-2021-38649.
GHSA
GHSA-p8gr-7qcg-86p9: Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38645, CVE-2021-38649
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2021-38648 [HIGH] CWE-269 GHSA-p8gr-7qcg-86p9: Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38645, CVE-2021-38649
Open Management Infrastructure Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-38645, CVE-2021-38649.
VulnCheck
Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability
vulncheck·2021·CVSS 7.0
CVE-2021-38649 [HIGH] Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability
Microsoft Open Management Infrastructure (OMI) Privilege Escalation Vulnerability
Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing privilege escalation.
Affected: Microsoft Open Management Infrastructure (OMI)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://news.sophos.com/en-us/2021/09/14/big-office-bug-squashed-for-september-2021s-patch-tuesday/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2021-11-17
No detection rules found.
No public exploits indexed.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Talos
Threat Source newsletter (Sept. 23, 2021)
blogs_talos·2021-09-23
Threat Source newsletter (Sept. 23, 2021)
## Threat Source newsletter (Sept. 23, 2021)
Good afternoon, Talos readers.
The Russian APT Turla is one of the most notorious threat actors out there today. And they aren't stopping, recently adding a new backdoor to their arsenal that serves as a "last chance" to retain a foothold on victim machines, even after their other malware has been removed.
Elsewhere on the APT landscape, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory warning users and organizations about a recent spike in Conti ransomware attacks. Their report even included a Talos shout-out! If you want to read our recent work on Conti, you can check out our major takeaways from their leaked playbook , and an episode of Talos Takes covering the matter.
## Upcoming Talos public engagements
Ch
Talos
Threat Source newsletter (Sept. 23, 2021)
blogs_talos·2021-09-23
Threat Source newsletter (Sept. 23, 2021)
Good afternoon, Talos readers.
The Russian APT Turla is one of the most notorious threat actors out there today. And they aren't stopping, recently adding a new backdoor to their arsenal that serves as a "last chance" to retain a foothold on victim machines, even after their other malware has been removed.
Elsewhere on the APT landscape, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory warning users and organizations about a recent spike in Conti ransomware attacks. Their report even included a Talos shout-out! If you want to read our recent work on Conti, you can check out our major takeaways from their leaked playbook, and an episode of Talos Takes covering the matter.
## Upcoming Talos public engagements
Chats, Cheats, and Cracks: Abuse of Collaboration
Tenable
CVE-2021-38647 (OMIGOD): Critical Flaw Leaves Azure Linux VMs Vulnerable to Remote Code Execution
blogs_tenable·2021-09-17·CVSS 9.8
[CRITICAL] CVE-2021-38647 (OMIGOD): Critical Flaw Leaves Azure Linux VMs Vulnerable to Remote Code Execution
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
blogs_unit42·2021-09-16·CVSS 7.8
CVE-2021-38645 [HIGH] Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
Nathaniel Quist
Published: September 16, 2021
Cloud Cybersecurity Research
High Profile Threats
Vulnerabilities
Azure
CVE-2021-38645
CVE-2021-38647
CVE-2021-38648
CVE-2021-38649
OMI
OMIGOD
## Executive Summary
On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the findings of four critical vulnerabilities affecting the Microsoft Azure package Open Management Infrastructure (OMI) . The open-source OMI package is designed to provide a portable infrastructure backbone for web-based management tools, such as diagnostic monitoring, log analytic services and automat
Unit42
Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
blogs_unit42·2021-09-16·CVSS 7.8
[HIGH] Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
## Executive Summary
On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the findings of four critical vulnerabilities affecting the Microsoft Azure package Open Management Infrastructure (OMI). The open-source OMI package is designed to provide a portable infrastructure backbone for web-based management tools, such as diagnostic monitoring, log analytic services and automation functionality within UNIX and Linux systems. OMI is used by Microsoft Azure to manage UNIX packages within Azure virtual machines (VMs), containers and serverless cloud instances. According to Microsoft’s security release notes, any system created, or which has updated its OMI package, after Aug. 11, 2021, should automatically be patched.
## Four Critical OMI Vulnerab
Wiz
OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers | Wiz Blog
blogs_wiz·2021-09-14·CVSS 7.8
CVE-2021-38647 [HIGH] OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers | Wiz Blog
The Wiz Research Team recently found four critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure. The vulnerabilities are very easy to exploit , allowing attackers to remotely execute arbitrary code within the network with a single request and escalate to root privileges.
CVE-2021-38647 – Unauthenticated RCE as root
CVE-2021-38648 – Privilege Escalation vulnerability
CVE-2021-38645 – Privilege Escalation vulnerability
CVE-2021-38649 – Privilege Escalation vulnerability
Many different services in Azure are affected, including Azure Log Analytics , Azure Diagnostics and Azure Security Center , as Microsoft uses OMI extensively behind the scenes as a common component for many of its
Qualys
Microsoft and Adobe Patch Tuesday (September 2021) – Microsoft 60 Vulnerabilities with 3 Critical, Adobe 61 Vulnerabilities
blogs_qualys·2021-09-14·CVSS 8.1
CVE-2021-40444 [HIGH] Microsoft and Adobe Patch Tuesday (September 2021) – Microsoft 60 Vulnerabilities with 3 Critical, Adobe 61 Vulnerabilities
## Microsoft Patch Tuesday – September 2021
Microsoft patched 60 vulnerabilities in their September 2021 Patch Tuesday release, and an additional 26 CVEs since September 1st. Among the 60 released in the September Patch Tuesday, 3 of them are rated as critical severity, one as moderate, and 56 as important.
## Critical Microsoft Vulnerabilities Patched
CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability
This vulnerability has been publicly disclosed and is known to be exploited. The vulnerability allows for remote code execution via MSHTML, a component used by Internet Explorer and Office. Microsoft also released a workaround to show how users can disable ActiveX controls in IE. The vendor has assigned a CVSSv3 base score of 8.8. It should be prioritized for patching.
Wiz
“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution | Wiz Blog
blogs_wiz·2021-09-14
“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution | Wiz Blog
Update September 18, 08:00AM EST - Microsoft updated its advisory and declared an auto-update for their PaaS service offerings that use vulnerable VM extensions by September 22, 2021. Microsoft also clarified which instances will still require manual patching, see details.
Update September 17, 10:00AM EST - Wiz's threat research team is aware of wide active exploitation attempts of OMIGOD by malicious DDoS botnets (Mirai) and cryptominers. We urge customers to follow the remediation steps below.
Update September 17, 06:00AM EST - Microsoft has started updating impacted Azure services. Azure Log Analytics and others are yet to be patched. Existing machines onboarded to impacted services still require manual update. Follow the updated mitigation guidance by MSRC.
Update September 16, 07
Wiz
“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution | Wiz Blog
blogs_wiz·2021-09-14
“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution | Wiz Blog
Update September 18, 08:00AM EST - Microsoft updated its advisory and declared an auto-update for their PaaS service offerings that use vulnerable VM extensions by September 22, 2021. Microsoft also clarified which instances will still require manual patching, see details.
Update September 17, 10:00AM EST - Wiz's threat research team is aware of wide active exploitation attempts of OMIGOD by malicious DDoS botnets (Mirai) and cryptominers. We urge customers to follow the remediation steps below.
Update September 17, 06:00AM EST - Microsoft has started updating impacted Azure services. Azure Log Analytics and others are yet to be patched. Existing machines onboarded to impacted services still require manual update. Follow the updated mitigation guidance by MSRC.
Update September 16, 07:
Wiz
OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers | Wiz Blog
blogs_wiz·2021-09-14·CVSS 7.8
CVE-2021-38647 [HIGH] OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers | Wiz Blog
The Wiz Research Team recently found four critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure. The vulnerabilities are very easy to exploit, allowing attackers to remotely execute arbitrary code within the network with a single request and escalate to root privileges.
- CVE-2021-38647 – Unauthenticated RCE as root
- CVE-2021-38648 – Privilege Escalation vulnerability
- CVE-2021-38645 – Privilege Escalation vulnerability
- CVE-2021-38649 – Privilege Escalation vulnerability
Many different services in Azure are affected, including Azure Log Analytics, Azure Diagnostics and Azure Security Center, as Microsoft uses OMI extensively behind the scenes as a common component for many of i
Greynoiseio
Malicious Tag Roundup (Sep 14-30, 2021)
blogs_greynoiseio·CVSS 7.8
[HIGH] Malicious Tag Roundup (Sep 14-30, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-09-15
Published
2021-11-03
Added to CISA KEV
Exploited in the wild